Changes - j0ke.net Open Build Service

Changes of Revision 5

[-] [+]	Added	fwsnort.changes
@@ -0,0 +1,5 @@ +------------------------------------------------------------------- +Sat Feb 8 16:15:41 UTC 2014 - cs@linux-administrator.com + +- update to release 1.6.4 +
[-] [+]	Changed	fwsnort.spec ^
@@ -1,5 +1,5 @@ %define name fwsnort -%define version 1.6.3 +%define version 1.6.4 %define release 1 %define fwsnortlibdir %_libdir/%name %define fwsnortlogdir /var/log/fwsnort
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/CREDITS ^
@@ -90,3 +90,12 @@ handling --strict mode opertions correctly, and more. These issues and the corresponding patch were originally reported here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000 + +Murray McAllister (Red Hat Security Team) + - Reported a bug fix for vulnerability CVE-2014-0039 in which an attacker- + controlled fwsnort.conf file could be read by fwsnort when not running as + root. This was caused by fwsnort reading './fwsnort.conf' when not + running as root and when a path to the config file was not explicitly set + with -c on the command line. This behavior has been changed to require + the user to specify a path to fwsnort.conf with -c when not running as + root.
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/ChangeLog ^
@@ -1,3 +1,15 @@ +fwsnort-1.6.4 (02/02/2014): + - Bug fix for vulnerability CVE-2014-0039 reported by Murray McAllister of + the Red Hat Security Team in which an attacker-controlled fwsnort.conf + file could be read by fwsnort when not running as root. This was caused + by fwsnort reading './fwsnort.conf' when not running as root and when a + path to the config file was not explicitly set with -c on the command + line. This behavior has been changed to require the user to specify a + path to fwsnort.conf with -c when not running as root. + - Switch fwsnort.sh iptables-restore exec() strategy to leverage 'cat' + against fwsnort.save file (fixes CentOS deployments). + - Updated to bundle the latest Emerging Threats rule set. + fwsnort-1.6.3 (12/21/2012): - Bug fix to ensure that !, <, >, and = chars in content strings are converted to the appropriate hex equivalents. All content strings with @@ -30,7 +42,7 @@ in some cases). - (Dwight Davis) Contributed patches for several bugs including not handling --exclude-regex properly, not ignoring the deleted.rules file, - not handling --strict mode opertions correctly, and more. These issues + not handling --strict mode operations correctly, and more. These issues and the corresponding patch were originally reported here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000 - Bug fix for Snort rules with HOME_NET(any) -> EXTERNAL_NET(any) to
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/ChangeLog.git ^
@@ -1,467 +1,107 @@ -commit 72a47c42f415b6c8551ccb8138626fa4a5ab49ae (HEAD, refs/heads/master) +commit 4060a43f943ff2133ae3eee9d84f4f7289c2684e (HEAD, refs/heads/master) Author: Michael Rash <mbr@cipherdyne.org> -Date: Fri Dec 21 21:23:46 2012 -0500 +Date: Sun Feb 2 16:01:29 2014 -0500 - removed -pre1 from version string + added note about 'cat' usage - fwsnort \| 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -commit 2e67c82d3e1e9752cba6a1e3a3971a75d86b6e3e -Author: Michael Rash <mbr@cipherdyne.org> -Date: Fri Dec 21 21:03:04 2012 -0500 - - ChangeLog.git file update for changes from 1.6.2 -> 1.6.3 - - ChangeLog.git \| 729 +++++++++++++++++++++++++++++---------------------------- - 1 file changed, 376 insertions(+), 353 deletions(-) - -commit bd7c6c622d8d17afe81d893e5cecb8ac2a83bb86 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Fri Dec 21 20:53:35 2012 -0500 - - HOME_NET -> EXTERNAL_NET to OUTPUT chain - - ChangeLog \| 3 +++ - 1 file changed, 3 insertions(+) - -commit 7519bff1c82e893fd737861c211d8b2fce99b401 (refs/remotes/web/master, refs/remotes/origin/master) -Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Dec 20 23:47:31 2012 -0500 - - updated 1.6.3 release date - - ChangeLog \| 2 +- - packaging/fwsnort-nodeps.spec \| 2 +- - packaging/fwsnort-require-makemaker.spec \| 2 +- - packaging/fwsnort.spec \| 2 +- - 4 files changed, 4 insertions(+), 4 deletions(-) - -commit c4c6fed8bf536914213077298a0e9ce446889632 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Dec 20 23:42:28 2012 -0500 - - HOME_NET(any) -> EXTERNAL_NET(any) => OUTPUT chain - - Dwight Davis reported that "when EXTERNAL_NET is set to 'any' the outbound rules - get put into the INPUT chain": http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000 - - This commit fixes this behavior, and forces such rules to the OUTPUT chain - whenever the original Snort rule has HOME_NET -> EXTERNAL_NET. - - fwsnort \| 12 +++++++----- - test/test-fwsnort.pl \| 19 +++++++++++++++++-- - 2 files changed, 24 insertions(+), 7 deletions(-) - -commit 0a073fde549f2e937a94dc644294bef509581f32 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 23:14:14 2012 -0500 - - added ip6tables tests - - test/test-fwsnort.pl \| 203 +++++++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 202 insertions(+), 1 deletion(-) - -commit 78b8053cddebf5cca43013c1b7ddadeb6eff574b -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 23:00:30 2012 -0500 - - converted snort options regex to use qr// form - - fwsnort \| 152 +++++++++++++++++++++++++++++++-------------------------------- - 1 file changed, 76 insertions(+), 76 deletions(-) - -commit 163821e511118ea2a4093e27560d28f347adeb5f -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 22:45:40 2012 -0500 - - added --strict test - - test/test-fwsnort.pl \| 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -commit 894a78ce6611cf39146fb43981801a83b4f23440 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 22:40:24 2012 -0500 - - Applied patch from Dwight Davis to fix multiple issues. - - (Dwight Davis) Contributed patches for several bugs including not - handling --exclude-regex properly, not ignoring the deleted.rules file, - not handling --strict mode opertions correctly, and more. These issues - and the corresponding patch were originally reported here: - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000 - - CREDITS \| 7 +++++++ - ChangeLog \| 5 +++++ - fwsnort \| 46 +++++++++++++++++++++++++++++++++++----------- - 3 files changed, 47 insertions(+), 11 deletions(-) - -commit 716d3e8464cd4e49f4231c464c45975a3fa2ec27 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 21:44:06 2012 -0500 - - added --include-type emerging-all test - - test/test-fwsnort.pl \| 52 ++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 52 insertions(+) - -commit fc679fb26d376a615b7e4962c11ce348db599e6d -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 21:21:39 2012 -0500 - - added --include-type + --exclude-type test - - test/test-fwsnort.pl \| 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -commit b6b8719c54cf0bc98295f224a138d18419170fa2 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 21:17:54 2012 -0500 - - added --exclude-type tests - - test/test-fwsnort.pl \| 34 ++++++++++++++++++++++++++++++++++ - 1 file changed, 34 insertions(+) - -commit eaef45f24c9db76de18e70df70abda4195661ee7 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 21:17:37 2012 -0500 - - fwsnort.sh to use exec to pick up iptables-restore exit status - - fwsnort \| 17 +++++++++++++---- - 1 file changed, 13 insertions(+), 4 deletions(-) + ChangeLog \| 2 ++ + 1 file changed, 2 insertions(+) -commit 67b118dd8053e381cf5dc335f3a0cb12dc2c3692 +commit a89f0ae431ed28943065e2ae11844bb43fc69a2e Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 19:40:12 2012 -0500 +Date: Sun Feb 2 15:53:04 2014 -0500 - added return value checking in --enable-fw-exec mode + bumped version and copyright info - test/test-fwsnort.pl \| 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) + README \| 4 ++-- + fwsnort \| 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) -commit 170abf64b6a6341e2fb6a873e3c8752bee8f9e34 +commit 021420b9c76a8c15e38381c73e9ca036d125be0e Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 19:37:16 2012 -0500 +Date: Sun Feb 2 15:51:35 2014 -0500 - added --ipt-revert option, though --ipt-flush is usually more desirable + bumped version to 1.6.4 - fwsnort \| 15 +++++++++++++++ - fwsnort.8 \| 13 +++++++++++++ - 2 files changed, 28 insertions(+) + ChangeLog \| 2 +- + VERSION \| 2 +- + fwsnort \| 4 ++-- + packaging/fwsnort-nodeps.spec \| 2 +- + packaging/fwsnort-require-makemaker.spec \| 5 ++++- + packaging/fwsnort.spec \| 5 ++++- + 6 files changed, 13 insertions(+), 7 deletions(-) -commit 8b371c570c6a060744775452c5b73fa70aeabaf2 +commit 661a3ebe55ee3d8d90fb63a4aaad9dc0494ec48f Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 19:17:16 2012 -0500 +Date: Sun Feb 2 15:31:12 2014 -0500 - added fw_exec for --enable-fw-exec mode to instantiate and revert fwsnort policy + update to bundle the latest Emerging Threats rule set - test/test-fwsnort.pl \| 26 +++++++++++++++++++++++++- - 1 file changed, 25 insertions(+), 1 deletion(-) + ChangeLog \| 1 + + deps/snort_rules/emerging-all.rules \| 8272 ++++++++++++++++++++++++++++++----- + 2 files changed, 7095 insertions(+), 1178 deletions(-) -commit 8438f236ca912d4e828c8a6e38af2fbf3a1d9fe8 +commit fa977453120cc48e1654f373311f9cac468d3348 (refs/remotes/mac/CVE-2014-0039, refs/heads/CVE-2014-0039) Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 18:58:08 2012 -0500 +Date: Sat Feb 1 14:58:22 2014 -0500 - iptables capabilities check optimization + Bug fix for CVE-2014-0039 - Implemented a single unified function for iptables match parameter - length testing, and optimized to drastically reduce run time for iptables - capabilities checks (going from over 20 seconds to less than one second - in some cases). - - ChangeLog \| 4 ++ - fwsnort \| 115 +++++++++++++++++++------------------------------- - test/test-fwsnort.pl \| 3 ++ - 3 files changed, 51 insertions(+), 71 deletions(-) - -commit a20b84ba6cfdc1d6a9c61266ae5b73c9b681e82e -Author: Michael Rash <mbr@cipherdyne.org> -Date: Wed Dec 19 18:57:07 2012 -0500 - - Added easy way to revert fwsnort iptables policy changes - - Added the ability to easily revert the fwsnort policy back to the - original iptables policy with "/var/lib/fwsnort/fwsnort.sh -r". Note - that this reverts back to the policy as it was when fwsnort itself was - executed. - - ChangeLog \| 4 ++++ - fwsnort \| 32 ++++++++++++++++++++++++++------ - 2 files changed, 30 insertions(+), 6 deletions(-) - -commit b87e2e0453e10357622f8a6f75634166dbbccec3 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Tue Dec 18 21:44:57 2012 -0500 - - added a test suite for fwsnort - - ChangeLog \| 3 + - test/conf/default_fwsnort.conf \| 116 ++++++++ - test/test-fwsnort.pl \| 582 ++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 701 insertions(+) - -commit 7aefe38bc8985c2f34cb5bfc61bed7b2c996308a -Author: Michael Rash <mbr@cipherdyne.org> -Date: Tue Dec 18 21:41:14 2012 -0500 - - added --install-test-dir argument for test suite installation - - install.pl \| 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 85 insertions(+), 8 deletions(-) - -commit 5435bf6bacb6ed2fd6efdc1d199c2729506ca982 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Tue Dec 18 21:40:44 2012 -0500 - - bug fix in --no-ipt-test mode to ensure no empty lines in fwsnort.save related to the conntrack test - - fwsnort \| 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -commit bf229236b79e3a33fb9507c384ca783d368de93f -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 22:25:20 2012 -0500 - - (Andrew Merenbach) Bug fix to properly honor --exclude-regex filtering option. - - CREDITS \| 3 +++ - ChangeLog \| 2 ++ - fwsnort \| 2 +- - 3 files changed, 6 insertions(+), 1 deletion(-) - -commit 99650e5b058be7933a2611e1ecee293bc3abbc4a -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 22:00:13 2012 -0500 - - bumped version to 1.6.3 - - fwsnort \| 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -commit a4fbc7fe48642e7efab12e812be57ca3abc3995f -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:59:51 2012 -0500 + Bug fix for vulnerability CVE-2014-0039 reported by Murray McAllister of + the Red Hat Security Team in which an attacker-controlled fwsnort.conf + file could be read by fwsnort when not running as root. This was caused + by fwsnort reading './fwsnort.conf' when not running as root and when a + path to the config file was not explicitly set with -c on the command + line. This behavior has been changed to require the user to specify a + path to fwsnort.conf with -c when not running as root. - bumped version to 1.6.3 - - VERSION \| 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + CREDITS \| 9 +++++++++ + ChangeLog \| 9 +++++++++ + fwsnort \| 4 +++- + fwsnort.8 \| 3 ++- + 4 files changed, 23 insertions(+), 2 deletions(-) -commit 15e3e8b9c45c85aae4870ddfad823a120ddb2158 +commit 8a5e58a8b017d76ed0eb6c31f8691d77a0ef5a0f (refs/remotes/origin/master, refs/remotes/origin/HEAD, refs/remotes/mac/master) Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:59:31 2012 -0500 +Date: Thu Jan 23 21:17:14 2014 -0500 - added README to version changing script + minor README re-wording w.r.t. Snort signatures - bump_version.pl \| 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) + README \| 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) -commit 9dd187797a0656afde69a1422925459bf69d5bbe +commit 7111a7fc984f2be620edb5878237387c7f66218c Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:59:05 2012 -0500 +Date: Thu Feb 7 22:06:19 2013 -0500 - minor ChangeLog update + Added 'cat' and 'grep' commands - ChangeLog \| 2 ++ + fwsnort.conf \| 2 ++ 1 file changed, 2 insertions(+) -commit 0eee109dc35305bf6827bb7e8c9332fa451c25e9 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:56:45 2012 -0500 - - All strings with non [A-Za-z0-9] chars now converted to hex format - - Bug fix to ensure that !, <, >, and = chars in content strings are - converted to the appropriate hex equivalents. All content strings with - characters outside of [A-Za-z0-9] are now converted to hex-string format - in their entirety. This should also fix an issue that results in the - following error when running /var/lib/fwsnort/fwsnort.sh: - - Using intrapositioned negation (`--option ! this`) is deprecated in - favor of extrapositioned (`! --option this`). - Bad argument `bm' - Error occurred at line: 64 - Try `iptables-restore -h' or 'iptables-restore --help' for more - information. - Done. - - fwsnort \| 115 ++++++++++++++++++++++++++++++++++++++++++++++++++------------- - 1 file changed, 91 insertions(+), 24 deletions(-) - -commit 4468524dedf869f0ad34a243075940cd33376229 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:56:28 2012 -0500 - - added INSTALL_ROOT variable - - install.pl \| 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -commit 85d20e92eee245a475464c418db3b471e2b6502d -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:56:13 2012 -0500 - - added INSTALL_ROOT variable - - fwsnort.conf \| 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -commit 16805833ef3136c085bc432ade8c2ca241b2f3d0 +commit 485e3163ee289841756157b10098258e596d7527 Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:50:17 2012 -0500 +Date: Thu Feb 7 22:06:02 2013 -0500 - added fwsnort-1.6.3 changes + bug fix for installation directory names, check_commands() enhancements - ChangeLog \| 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) + install.pl \| 48 ++++++++++++++++++++++++++++++++++++------------ + 1 file changed, 36 insertions(+), 12 deletions(-) -commit 518ccd791c56cb995e2d4a35f3170cba9420c00a +commit 4a20296160da43ba32b5777d3595ba23aa300e86 Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:49:54 2012 -0500 +Date: Thu Feb 7 22:05:19 2013 -0500 - fwsnort-1.6.3 release + switch fwsnort.sh iptables-restore exec() strategy to leverage 'cat' against fwsnort.save file (fixes CentOS deployments) - packaging/fwsnort-nodeps.spec \| 15 ++++++++++----- - packaging/fwsnort-require-makemaker.spec \| 15 ++++++++++----- - packaging/fwsnort.spec \| 15 ++++++++++----- - 3 files changed, 30 insertions(+), 15 deletions(-) - -commit 46260f13b61e47eb1ac9ff47728d517aba9b2b5e -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:43:47 2012 -0500 - - minor README re-ordering - - README \| 45 ++++++++++++++++++++++----------------------- - 1 file changed, 22 insertions(+), 23 deletions(-) - -commit f08b09a5d6f3da23f20cc86209a77d6ca46a2602 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:43:11 2012 -0500 - - added various unrecognized snort rule options - - snort_opts.pl \| 27 +++++++++++++++++++++++++++ - 1 file changed, 27 insertions(+) - -commit 897e4296ba0a660e93bc10285357b635c79ebc12 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Dec 17 21:26:56 2012 -0500 - - updated Emerging Threats rule set - - deps/snort_rules/emerging-all.rules \| 1755 +++++++++++++++++++++++++++-------- - 1 file changed, 1349 insertions(+), 406 deletions(-) - -commit c99826c59d1e1b250c98580d7381a4935b78f0d4 (tag: refs/tags/fwsnort-1.6.3-pre1) -Author: Michael Rash <mbr@cipherdyne.org> -Date: Tue Sep 18 20:46:02 2012 -0400 - - bumped version to 1.6.3-pre1 - - VERSION \| 2 +- - fwsnort \| 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) - -commit 3588d8839bcba830a7d220b509cf15e683c45576 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Tue Sep 18 20:45:18 2012 -0400 - - started on 1.6.3 ChangeLog - - ChangeLog \| 4 ++++ - 1 file changed, 4 insertions(+) - -commit 884e7aafb90739a4bc09a34f7bc96f2508836d85 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Tue Sep 18 20:43:11 2012 -0400 - - make sure \!, <, >, and = are converted to hex equivalents - - fwsnort \| 4 ++++ - 1 file changed, 4 insertions(+) - -commit 56f1fdc03e05f910105facd0efa4640c313322aa -Author: Michael Rash <mbr@cipherdyne.org> -Date: Tue Sep 18 20:39:23 2012 -0400 - - rules update from Emerging Threats - - deps/snort_rules/emerging-all.rules \| 4767 ++++++++++++++++++++++++++++------- - 1 file changed, 3910 insertions(+), 857 deletions(-) - -commit b0f806220e3cdaf02a05a049e21fa1f695d2db65 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun Jun 10 23:07:37 2012 -0400 - - applied patch from Franck to fix man page paths to reflect new installation directory structure - - fwsnort.8 \| 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -commit cb48ba098c51e0d4b9eefcc0a51cbb0219c8907b -Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun May 27 14:14:16 2012 -0400 - - updated QUEUE_RULES_DIR path to a sub-dir of /var/lib/fwsnort/ - - fwsnort.conf \| 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -commit b404d75afbc7351e38249f7f07736154ebb5e47b -Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun May 27 13:37:20 2012 -0400 - - added note about trying yum/agt-get installation (Guillermo Gomez) - - README.RPM \| 6 ++++++ - 1 file changed, 6 insertions(+) + fwsnort \| 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) -commit ea0803577b76aca30a0ca7fbe7ec74d13a4442de +commit 0348865d14de898769000daeb570c5ed80e162b9 Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun May 27 13:32:52 2012 -0400 +Date: Thu Feb 7 21:43:27 2013 -0500 - minor version update (mentioned by Guillermo Gomez) + minor typo fix - README \| 2 +- + ChangeLog \| 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) - -commit fdba1beb554fee3e5556478ee1c2ec186b8811ba -Merge: a15b8f6 f447c4b -Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun May 27 13:29:04 2012 -0400 - - Merge branch 'refs/heads/fwsnort-1.6.2' - -commit a15b8f6e074274b76903055313f48e4faddd3cfb -Merge: 59e2ff7 5d1d646 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun May 27 13:28:50 2012 -0400 - - merged fwsnort-1.6.2 - -commit f447c4baea916c10daf1a5e19dc73eb1b6dc906a (refs/remotes/web/fwsnort-1.6.2, refs/remotes/origin/fwsnort-1.6.2, refs/heads/fwsnort-1.6.2) -Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun May 27 13:27:18 2012 -0400 - - GPL license address update (mentioned by Guillermo Gomez) - - LICENSE \| 2 +- - README \| 2 +- - fwsnort \| 2 +- - install.pl \| 2 +- - packaging/cd_rpmbuilder \| 2 +- - snortspoof.pl \| 2 +- - 6 files changed, 6 insertions(+), 6 deletions(-) - -commit 6e4895e19fdedde6ee0e1448c52727fd88ee4acc -Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun May 27 13:25:23 2012 -0400 - - mentioned Guillermo Gomez as the fwsnort maintainer - - CREDITS \| 1 + - 1 file changed, 1 insertion(+)
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/README ^
@@ -1,5 +1,5 @@ fwsnort (Firewall Snort) -Version: 1.6.3 +Version: 1.6.4 Author: Michael Rash <mbr@cipherdyne.org> Website: http://www.cipherdyne.org/fwsnort/ @@ -8,16 +8,16 @@ fwsnort is a perl script that translates Snort rules into equivalent iptables rules. Some Snort rule options (such as "pcre") have no direct translation into iptables options so not all Snort rules can be translated. However -approximately 65% of all Snort-2.3.3 (the last release of Snort under the GPL) -signatures can be successfully translated through the use of the iptables -string match module. When tranlating Snort rules, fwsnort makes heavy use of -the iptables string match extension with its "--hex-string" option (added to -iptables by the fwsnort project) which accepts Snort "content" argument with -hex bytes between "\|" chars (such as "\|5a 4e\|"). This allows the content -fields in Snort rules to be directly input into iptables rulesets from the -command line. fwsnort alse parses the running iptables policy on the machine -in order to determine which Snort rules are applicable to the specific policy -loaded on the machine. +approximately 65% of all Snort-2.3.3 signatures (the last release of Snort +signatures under the GPL) can be successfully translated through the use of the +iptables string match module. When tranlating Snort rules, fwsnort makes heavy +use of the iptables string match extension with its "--hex-string" option +(added to iptables by the fwsnort project) which accepts Snort "content" +argument with hex bytes between "\|" chars (such as "\|5a 4e\|"). This allows the +content fields in Snort rules to be directly input into iptables rulesets from +the command line. fwsnort alse parses the running iptables policy on the +machine in order to determine which Snort rules are applicable to the specific +policy loaded on the machine. fwsnort requires the iptables string match module in order to be able to detect application layer attacks. If you are running modern Linux @@ -51,7 +51,7 @@ COPYRIGHT: -Copyright (C) 2003-2012 Michael Rash (mbr@cipherdyne.org) +Copyright (C) 2003-2014 Michael Rash (mbr@cipherdyne.org) fwsnort is distributed under the GNU General Public License (GPLv2), and the latest version may be downloaded from http://www.cipherdyne.org/
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/VERSION ^
@@ -1 +1 @@ -1.6.3 +1.6.4
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/deps/snort_rules/emerging-all.rules ^
@@ -9,7 +9,7 @@ # as follows: # #************************************************************* -# Copyright (c) 2003-2012, Emerging Threats +# Copyright (c) 2003-2013, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the @@ -621,7 +621,7 @@ #by kevin ross # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer\|28\|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; reference:url,doc.emergingthreats.net/2010495; classtype:attempted-user; sid:2010495; rev:12;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; depth:300; content:"this.media.newPlayer\|28\|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:bid,37331; reference:cve,2009-4324; classtype:attempted-user; sid:2010495; rev:12;) #by evilghost # @@ -671,7 +671,7 @@ #by Daniel Sheperd # -alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"\|00 00 06\|"; offset:8; content:"\|c0 0c 00 ff\|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2;) +#alert udp any any -> any 53 (msg:"ET DOS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"\|00 00 06\|"; offset:8; content:"\|c0 0c 00 ff\|"; distance:2; reference:cve,2009-0696; reference:url,doc.emergingthreats.net/2009701; classtype:attempted-dos; sid:2009701; rev:2;) #by Kevin Ross, temporary, based on a specific exploit if generated in hping # @@ -695,7 +695,7 @@ #by jason weir and wolvee # -alert tcp ![66.220.157.64/26,66.220.157.16/29,66.220.157.48/28,66.220.157.24/29,66.220.144.128/27,66.220.157.128/27,66.220.144.160/29,66.220.157.160/29,66.220.144.168/29,66.220.157.168/29] any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Facebook Spam Inbound (1)"; flow:established,to_server; content:"facebook.com"; nocase; content:"Content-Disposition\|3A\| attachment\|3b\|"; nocase; content:"filename"; content:"Facebook_"; within:50; pcre:"/filename=.facebook.\.(rar\|exe\|zip)/i"; reference:url,doc.emergingthreats.net/2010497; reference:url,postmaster.facebook.com/outbound; classtype:trojan-activity; sid:2010497; rev:8;) +#alert tcp ![66.220.157.64/26,66.220.157.16/29,66.220.157.48/28,66.220.157.24/29,66.220.144.128/27,66.220.157.128/27,66.220.144.160/29,66.220.157.160/29,66.220.144.168/29,66.220.157.168/29] any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Facebook Spam Inbound (1)"; flow:established,to_server; content:"facebook.com"; nocase; content:"Content-Disposition\|3A\| attachment\|3b\|"; nocase; content:"filename"; content:"Facebook_"; within:50; pcre:"/filename=.facebook.\.(rar\|exe\|zip)/i"; reference:url,doc.emergingthreats.net/2010497; reference:url,postmaster.facebook.com/outbound; classtype:trojan-activity; sid:2010497; rev:9;) #by jason weir and wolvee # @@ -1378,7 +1378,7 @@ #by Blake Hartstein of Demarc #Cleaned up depth/offset/distance - Daniel Clemens # -alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"\|00 01 86 a5\|"; offset:16; depth:4; content:"\|00 00 00 01\|"; distance:4; within:4; content:"\|00 00 00 00\|"; offset:8; depth:4; content:"\|00 00 00 00 00 00\|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 2049 (msg:"ET DOS FreeBSD NFS RPC Kernel Panic"; flow:to_server,established; content:"\|00 01 86 a5\|"; offset:16; depth:4; content:"\|00 00 00 01\|"; distance:4; within:4; content:"\|00 00 00 00\|"; offset:8; depth:4; content:"\|00 00 00 00 00 00\|"; offset:0; depth:6; reference:cve,2006-0900; reference:bugtraq,19017; reference:url,doc.emergingthreats.net/bin/view/Main/2002853; classtype:attempted-dos; sid:2002853; rev:5;) #by Blake Hartstein of Demarc # @@ -1439,11 +1439,11 @@ #by matt jonkman and waldo kitty # -alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"\|17\|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010488; classtype:attempted-dos; sid:2010488; rev:2;) +#alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 request)"; dsize:1; content:"\|17\|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010488; classtype:attempted-dos; sid:2010488; rev:2;) #by matt jonkman and waldo kitty # -alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"\|97 00 00 00\|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010489; classtype:attempted-dos; sid:2010489; rev:2;) +#alert udp $HOME_NET 123 -> $EXTERNAL_NET 123 (msg:"ET DELETED Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply)"; dsize:4; content:"\|97 00 00 00\|"; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.kb.cert.org/vuls/id/568372; reference:cve,2009-3563; reference:url,doc.emergingthreats.net/2010489; classtype:attempted-dos; sid:2010489; rev:2;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET DOS SSL Bomb DoS Attempt"; flow:to_server,established; content:"\|16 03 00\|"; offset:0; depth:3; content:"\|01\|"; within:1; distance:2; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; reference:url,doc.emergingthreats.net/bin/view/Main/2000016; classtype:attempted-dos; sid:2000016; rev:7;) @@ -1474,7 +1474,7 @@ #by Akash Mahajan # -alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"\|44 53 52 65 71 75 65 73 74\|"; pcre:"/[0-9a-zA-Z]{50,}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"\|44 53 52 65 71 75 65 73 74\|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2007937; classtype:successful-dos; sid:2007937; rev:4;) #by Blake Hartstein # @@ -1571,7 +1571,7 @@ #by Akash Mahajan # -alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"\|12 06 41 46 50 33 2e 31\|"; pcre:"/[a-zA-Z0-9]{5,}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"\|12 06 41 46 50 33 2e 31\|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; reference:url,doc.emergingthreats.net/bin/view/Main/2007877; classtype:successful-dos; sid:2007877; rev:4;) #by Kevin Ross #disabling for falses... @@ -2570,7 +2570,7 @@ #by Nagaraj S # -alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"\|90 90 90 90 90\|"; depth:5; content:"\|90 90 90 90 90\|"; distance:0; content:"\|90 90 90 90 90\|"; distance:0; pcre:"/\x90{200,}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"\|90 90 90 90 90\|"; depth:5; content:"\|90 90 90 90 90\|"; distance:0; content:"\|90 90 90 90 90\|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; reference:url,doc.emergingthreats.net/2009976; classtype:denial-of-service; sid:2009976; rev:4;) #by Summit Siddharth # @@ -2748,7 +2748,7 @@ #by evilghost # -alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print\|0A 5C\|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257,}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:5;) +alert udp any any -> $HOME_NET 27901 (msg:"ET GAMES Alien Arena 7.30 Remote Code Execution Attempt"; content:"print\|0A 5C\|"; isdataat:257,relative; pcre:"/\x5C[^\x5C\x00]{257}/"; reference:url,www.packetstormsecurity.org/0910-advisories/alienarena-exec.txt; reference:url,doc.emergingthreats.net/2010156; classtype:misc-attack; sid:2010156; rev:6;) #All by Ron Bowes. Many thanks Ron # @@ -2902,7 +2902,7 @@ #by Blake Hartstein of Demarc # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET GAMES PunkBuster Server webkey Buffer Overflow"; flow:established,to_server; content:"/pbsvweb"; nocase; http_uri; content:"webkey="; nocase; isdataat:500,relative; pcre:"/^[^&\n]{500}/R"; reference:url,aluigi.altervista.org/adv/pbwebbof-adv.txt; reference:url,doc.emergingthreats.net/2002947; classtype:attempted-admin; sid:2002947; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET GAMES PunkBuster Server webkey Buffer Overflow"; flow:established,to_server; content:"/pbsvweb"; nocase; http_uri; content:"webkey="; nocase; isdataat:500,relative; content:!"\|0A\|"; within:500; content:!"&"; within:500; reference:url,aluigi.altervista.org/adv/pbwebbof-adv.txt; reference:url,doc.emergingthreats.net/2002947; classtype:attempted-admin; sid:2002947; rev:6;) #By Ron Iago # @@ -3103,7 +3103,7 @@ #Submitted by Jason Haar # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Reporting"; flow: to_server,established; content:"/showme.aspx?"; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; classtype:trojan-activity; sid:2001400; rev:11;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 180solutions Spyware Reporting"; flow: to_server,established; content:"/showme.aspx?"; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; classtype:trojan-activity; sid:2001400; rev:12;) #Matt Jonkman # @@ -3266,7 +3266,7 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave Agent Access"; flow: to_server,established; content:"/search_404.aspx?aff="; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; classtype:policy-violation; sid:2001318; rev:8;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adwave Agent Access"; flow: to_server,established; content:"/search_404.aspx?aff="; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; classtype:policy-violation; sid:2001318; rev:9;) #Submitted by Chris Norton # @@ -3371,7 +3371,7 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Checkin"; flow:established,to_server; content:"/adv/"; nocase; http_uri; content:"/adload.php?a1="; nocase; http_uri; content:"&a2=Type of Processor\|3a\|"; nocase; http_uri; content:"&a3=Windows version is "; nocase; http_uri; content:"&a4=Build\|3a\|"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002955; classtype:trojan-activity; sid:2002955; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Tibs Checkin"; flow:established,to_server; content:"/adv/"; nocase; http_uri; content:".php?a1="; nocase; http_uri; content:"&a2=Type of Processor\|3a\|"; nocase; http_uri; content:"&a3=Windows version is "; nocase; http_uri; content:"&a4=Build\|3a\|"; nocase; http_uri; reference:md5,65448c8678f03253ef380c375d6670ce; classtype:trojan-activity; sid:2002955; rev:8;) #Matt Jonkman # @@ -3456,11 +3456,11 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com Agent Reporting Data"; flow: to_server,established; content:"/perl/ads.pl"; nocase; http_uri; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; classtype:trojan-activity; sid:2001266; rev:13;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Browseraid.com Agent Reporting Data"; flow: to_server,established; content:"/perl/ads.pl"; nocase; http_uri; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; classtype:trojan-activity; sid:2001266; rev:14;) #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com Agent Updating"; flow: to_server,established; content:"/perl/uptodate.pl"; nocase; http_uri; content:"uptodate.browseraid.com"; nocase; http_header; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; classtype:trojan-activity; sid:2001304; rev:8;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Browseraid.com Agent Updating"; flow: to_server,established; content:"/perl/uptodate.pl"; nocase; http_uri; content:"uptodate.browseraid.com"; nocase; http_header; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; classtype:trojan-activity; sid:2001304; rev:9;) #By Matt Jonkman # @@ -3494,7 +3494,7 @@ #from sandnet analysis, called CASClient by Kaspersky #by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/ctrv.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; classtype:trojan-activity; sid:2006404; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownLoader.30525 Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/ctrv.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; classtype:trojan-activity; sid:2006404; rev:5;) #By Matt Jonkman, From spyware listening post data # @@ -3640,7 +3640,7 @@ #from Lance James and Secure Science www.securescience.net -- Thanks Lance! #too many falses... # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host\|3a\|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:6;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host\|3a\|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:7;) #from Lance James and Secure Science www.securescience.net -- Thanks Lance! #too many falses... @@ -3702,7 +3702,7 @@ #deapesh misra # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type\|3a\| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:6;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type\|3a\| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:7;) #deapesh misra # @@ -3710,11 +3710,11 @@ #from vienna # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; content:"Content-Type\|3a\| image/"; content:"\|0d 0a\|Rar!"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; classtype:trojan-activity; sid:2008754; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; content:"Content-Type\|3a\| image/"; content:"\|0d 0a\|Rar!"; fast_pattern; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; classtype:trojan-activity; sid:2008754; rev:5;) #by: Deapesh Misra # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type\|3a\| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; fast_pattern; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type\|3a\| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; fast_pattern; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:5;) #by evilghost # @@ -3767,12 +3767,12 @@ #this is for the recent rash of .co.kr fake antispyware products we're seeing. #doctorpro.co.kr, karine.co.kr, Vaccineprogram.co.kr, Mycashbank.co.kr, etc. There will surely be more. Similar url patterns though # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; classtype:trojan-activity; sid:2006425; rev:9;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; content:"/install_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; classtype:trojan-activity; sid:2006425; rev:9;) #this is for the recent rash of .co.kr fake antispyware products we're seeing. #doctorpro.co.kr, karine.co.kr, Vaccineprogram.co.kr, Mycashbank.co.kr, etc. There will surely be more. Similar url patterns though # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; classtype:trojan-activity; sid:2006426; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; content:"/access_count.html?id="; nocase; http_uri; content:"&MAC="; nocase; http_uri; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; classtype:trojan-activity; sid:2006426; rev:6;) #this is for the recent rash of .co.kr fake antispyware products we're seeing. #doctorpro.co.kr, karine.co.kr, Vaccineprogram.co.kr, Mycashbank.co.kr, etc. There will surely be more. Similar url patterns though @@ -3910,7 +3910,7 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendtracker)"; flow: to_server,established; content:"/bin/findwhat.dll?sendtracker&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; classtype:trojan-activity; sid:2003580; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Findwhat.com Spyware (sendtracker)"; flow: to_server,established; content:"/bin/findwhat.dll?sendtracker&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; classtype:trojan-activity; sid:2003580; rev:5;) #Submitted by Matt Jonkman # @@ -3959,7 +3959,7 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts\|3b\|"; nocase; fast_pattern:only; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:22;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts\|3b\|"; nocase; fast_pattern:only; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:23;) #Submitted by Matt Jonkman # @@ -4015,7 +4015,7 @@ #Matt Jonkman, from spyware LP Data # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Spyware Posting Data"; flow: to_server,established; content:"/gs_med"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; classtype:trojan-activity; sid:2003575; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gator/Clarian Spyware Posting Data"; flow: to_server,established; content:"/gs_med"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; classtype:trojan-activity; sid:2003575; rev:6;) #These are for common names of malcode files as seen in common places. #Matt Jonkman @@ -4348,7 +4348,7 @@ #By Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host\|3a\|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:10;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host\|3a\|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:11;) #By Matt Jonkman # @@ -5013,7 +5013,7 @@ #another fake antispyware package, by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"a1="; nocase; http_uri; content:"&a2="; nocase; http_uri; content:"&a3="; nocase; http_uri; content:"Windows"; nocase; http_uri; content:"&a4=Build"; nocase; http_uri; content:"&a5="; nocase; http_uri; content:"&table="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; classtype:trojan-activity; sid:2007842; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"a1="; nocase; http_uri; content:"&a2="; nocase; http_uri; content:"&a3="; nocase; http_uri; content:"Windows"; nocase; http_uri; content:"&a4=Build"; nocase; http_uri; content:"&a5="; nocase; http_uri; content:"&table="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; classtype:trojan-activity; sid:2007842; rev:5;) #by matt Jonkman, from the sandnet # @@ -5051,7 +5051,7 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent"; flow: to_server,established; content:"/io/downloads"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; classtype:trojan-activity; sid:2001320; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Speedera Agent"; flow: to_server,established; content:"/io/downloads"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; classtype:trojan-activity; sid:2001320; rev:6;) #Submitted by Matt Jonkman # @@ -5208,7 +5208,7 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:7;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:8;) #horrendous multi-install service at theinstalls.com # @@ -5216,7 +5216,7 @@ #horrendous multi-install service at theinstalls.com # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Trojan Download"; flow:established,to_server; content:"/files/programs/"; http_uri; content:"\|0d 0a\|Host\|3a\| "; http_header; content:"theinstalls.com\|0d 0a\|"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; classtype:trojan-activity; sid:2007798; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Theinstalls.com Trojan Download"; flow:established,to_server; content:"/files/programs/"; http_uri; content:"\|0d 0a\|Host\|3a\| "; http_header; content:"theinstalls.com\|0d 0a\|"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; classtype:trojan-activity; sid:2007798; rev:7;) #By Matt Jonkman # @@ -5442,7 +5442,7 @@ #Submitted by Matt Jonkman, Tweaks by Bob Grabowsky # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Agent Activity"; flow: to_server,established; content:"Host\|3a\|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:trojan-activity; sid:2001678; rev:14;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Agent Activity"; flow: to_server,established; content:"Host\|3a\|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:trojan-activity; sid:2001678; rev:14;) #Submitted by Matt Jonkman # @@ -5454,7 +5454,7 @@ #Matt Jonkman, from spyware listening post data # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Cab Download"; flow: to_server,established; content:"/Dnl/T_"; nocase; http_uri; pcre:"/\/\S+\.cab/Ui"; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; classtype:trojan-activity; sid:2003242; rev:8;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Websearch.com Cab Download"; flow: to_server,established; content:"/Dnl/T_"; nocase; http_uri; pcre:"/\/\S+\.cab/Ui"; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; classtype:trojan-activity; sid:2003242; rev:9;) #Matt Jonkman # @@ -5462,7 +5462,7 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Update"; flow: to_server,established; content:"/notifier/updates"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; classtype:trojan-activity; sid:2002041; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Weird on the Web /180 Solutions Update"; flow: to_server,established; content:"/notifier/updates"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; classtype:trojan-activity; sid:2002041; rev:7;) #Submitted by Matt Jonkman # @@ -5578,7 +5578,7 @@ #By Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware Activity"; flow: to_server,established; content:"/?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri; content:"&appid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; classtype:trojan-activity; sid:2003471; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Winsoftware.com Spyware Activity"; flow: to_server,established; content:"/?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri; content:"&appid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; classtype:trojan-activity; sid:2003471; rev:6;) #matt jonkman, www.winxdefender.com fake AV package # @@ -5755,7 +5755,7 @@ #By Chich Thierry # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent peer sync"; flow: established; content:"\|0000000d0600\|"; depth:6; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P BitTorrent peer sync"; flow:established; content:"\|00 00 00 0d 06 00\|"; depth:6; threshold: type limit, track by_dst, seconds 300, count 1; reference:url,bitconjurer.org/BitTorrent/protocol.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000334; classtype:policy-violation; sid:2000334; rev:12;) #By Chich Thierry # @@ -5915,7 +5915,7 @@ #by Philipp Seidel # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; content:"User-Agent\|3a\| FDM 3.x"; http_header; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; classtype:policy-violation; sid:2011712; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Bittorrent P2P Client User-Agent (FDM 3.x)"; flow:to_server,established; content:"User-Agent\|3a\| FDM 3."; http_header; reference:url,www.freedownloadmanager.org; reference:url,doc.emergingthreats.net/2011712; classtype:policy-violation; sid:2011712; rev:5;) #Submitted by Pedro Quintanilha on 2005-11-07 #Fixed distance/offset/within/depth issues - Daniel Clemens @@ -5981,7 +5981,7 @@ #Depth and offset added by Jeff Kell # -alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg:"ET P2P UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001841; classtype:policy-violation; sid:2001841; rev:7;) +#alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg:"ET DELETED UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40, seconds 300; reference:url,www.limewire.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001841; classtype:policy-violation; sid:2001841; rev:8;) #by Christopher Campesi # @@ -6088,7 +6088,7 @@ #by christopher campesi # -alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"\|e4 21\|"; depth:2; threshold: type limit, count 5, seconds 600, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:4;) +alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET P2P eMule KAD Network Connection Request"; dsize:35; content:"\|e4 21\|"; depth:2; threshold: type limit, count 1, seconds 300, track by_src; reference:url,emule-project.net; reference:url,doc.emergingthreats.net/2009967; classtype:policy-violation; sid:2009967; rev:5;) #by christopher campesi # @@ -6169,7 +6169,7 @@ #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; content:"User-Agent\|3a\| AutoIt"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; classtype:policy-violation; sid:2008350; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile"; flow:established,to_server; content:"User-Agent\|3a\| AutoIt"; http_header; flowbits:set,ET.autoit.ua; reference:url,doc.emergingthreats.net/bin/view/Main/2008350; classtype:policy-violation; sid:2008350; rev:6;) #by Kevin Ross # @@ -6195,7 +6195,7 @@ #Submitted by Joseph Gama #Good rules, turn them on if you are interested. They are accurate. # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:17;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; content:"MZ"; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:18;) #Submitted by Joseph Gama #Good rules, turn them on if you are interested. They are accurate. @@ -7274,7 +7274,7 @@ #by Myron Davis # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"\|00 10 00 01 00 00 29 08\|"; within:255; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; reference:url,doc.emergingthreats.net/2002676; classtype:bad-unknown; sid:2002676; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY nstx DNS Tunnel Outbound"; content:"cT"; offset:12; depth:3; content:"\|00 10 00 01 00 00 29 08\|"; within:255; reference:url,savannah.nongnu.org/projects/nstx/; reference:url,nstx.dereference.de/nstx; reference:url,doc.emergingthreats.net/2002676; classtype:bad-unknown; sid:2002676; rev:3;) #Submitted by Ole-Martin # @@ -7477,7 +7477,7 @@ #Submitted by Michael Holstein, 2006-02-13. Reference from scheidell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| Google Desktop)"; http_header; fast_pattern:37,15; nocase; threshold: type limit, count 1, seconds 360, track by_src; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; classtype:policy-violation; sid:2002801; rev:10;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Google Desktop User-Agent Detected"; flow:to_server,established; content:"(compatible\|3b\| Google Desktop)"; http_header; fast_pattern:13,15; nocase; threshold: type limit, count 1, seconds 360, track by_src; reference:url,news.com.com/2100-1032_3-6038197.html; reference:url,doc.emergingthreats.net/2002801; classtype:policy-violation; sid:2002801; rev:12;) #Submitted 2006-02-28 by Mark Warren. For Google appliances that "should" only spider internal web sites (but sometimes go wild and spider the Internet) # @@ -7640,7 +7640,7 @@ #by Matt Jonkman, reference at http://piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gadu-Gadu IM Login Server Request"; flow:established,to_server; content:"/appsvc/appmsg"; http_uri; nocase; content:".asp"; http_uri; nocase; content:"fmnumber="; http_uri; content:"&version="; http_uri; content:"&fmt="; http_uri; content:"Host\|3a\| appmsg.gadu-gadu."; http_header; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008295; classtype:policy-violation; sid:2008295; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Gadu-Gadu IM Login Server Request"; flow:established,to_server; content:"/appsvc/appmsg"; http_uri; nocase; content:".asp"; http_uri; nocase; content:"fmnumber="; http_uri; content:"&version="; http_uri; content:"&fmt="; http_uri; content:"Host\|3a\| appmsg.gadu-gadu."; http_header; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008295; classtype:policy-violation; sid:2008295; rev:6;) #by Matt Jonkman, reference at http://piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html # @@ -7696,23 +7696,23 @@ #By Merphie from the forums # -alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET POLICY ICQ Status Invisible"; flow: from_client,established; content:"\|2A02\|"; depth: 2; content:"\|001900130005\|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001801; classtype:policy-violation; sid:2001801; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Invisible"; flow: from_client,established; content:"\|2A02\|"; depth: 2; content:"\|001900130005\|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001801; classtype:policy-violation; sid:2001801; rev:5;) #By Merphie from the forums # -alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET POLICY ICQ Status Change (1)"; flow: from_client,established; content:"\|2A02\|"; depth: 2; content:"\|000E00010011\|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001802; classtype:policy-violation; sid:2001802; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (1)"; flow: from_client,established; content:"\|2A02\|"; depth: 2; content:"\|000E00010011\|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001802; classtype:policy-violation; sid:2001802; rev:6;) #By Merphie from the forums # -alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET POLICY ICQ Status Change (2)"; flow: from_client,established; content:"\|2A02\|"; depth: 2; content:"\|00120001001E\|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001803; classtype:policy-violation; sid:2001803; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (2)"; flow: from_client,established; content:"\|2A02\|"; depth: 2; content:"\|00120001001E\|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001803; classtype:policy-violation; sid:2001803; rev:6;) #By Merphie from the forums # -alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET POLICY ICQ Login"; flow: from_client,established; content:"\|2A01\|"; depth: 2; content:"\|00010001\|"; offset: 8; depth: 4; reference:url,doc.emergingthreats.net/2001804; classtype:policy-violation; sid:2001804; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Login"; flow: from_client,established; content:"\|2A01\|"; depth: 2; content:"\|00010001\|"; offset: 8; depth: 4; reference:url,doc.emergingthreats.net/2001804; classtype:policy-violation; sid:2001804; rev:5;) #By Merphie from the forums # -alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET POLICY ICQ Message"; flow: established; content:"\|2A02\|"; depth: 2; content:"\|000400060000\|"; offset: 6; depth: 6; reference:url,doc.emergingthreats.net/2001805; classtype:policy-violation; sid:2001805; rev:5;) +alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT ICQ Message"; flow: established; content:"\|2A02\|"; depth: 2; content:"\|000400060000\|"; offset: 6; depth: 6; reference:url,doc.emergingthreats.net/2001805; classtype:policy-violation; sid:2001805; rev:5;) #matt jonkman # @@ -7854,7 +7854,7 @@ #by matt jonkman #these services aren't bad inherently, but are often used by trojans to get their external IP # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:"\|0d 0a\|Host\|3a\| "; http_header; content:"whatismyip."; within:15; http_header; reference:url,doc.emergingthreats.net/2008986; classtype:attempted-recon; sid:2008986; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:"\|0d 0a\|Host\|3a\| "; http_header; content:"whatismyip."; within:15; http_header; classtype:attempted-recon; sid:2008986; rev:5;) #by matt jonkman #these services aren't bad inherently, but are often used by trojans to get their external IP @@ -7878,7 +7878,7 @@ #Submitted by Vernon Stark # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; reference:url,doc.emergingthreats.net/2000355; classtype:misc-activity; sid:2000355; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; reference:url,doc.emergingthreats.net/2000355; classtype:misc-activity; sid:2000355; rev:5;) #Submitted by Vernon Stark # @@ -7926,7 +7926,7 @@ #by William Metcalf # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; content:"GET"; http_method; content:"/myrahost/list.aspx?"; nocase; http_uri; content:!"Host\|3a\| "; http_header; reference:url,doc.emergingthreats.net/2007765; classtype:policy-violation; sid:2007765; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Logmein.com Host List Download"; flow:established,to_server; content:"GET"; http_method; content:"/myrahost/list.aspx?"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007765; classtype:policy-violation; sid:2007765; rev:8;) #by William Metcalf # @@ -8305,11 +8305,11 @@ #Matt Jonkman, modified by jholguin (tb-security) #This is a commercial product, but we see it very often used in malware. Send this email on install # -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET POLICY SC-KeyLog Keylogger Installed - Sending Initial Email Report"; flow:established,to_server; content:"Installation of SC-KeyLog on host "; nocase; content:"<p>You will receive a log report every "; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2002979; classtype:trojan-activity; sid:2002979; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SC-KeyLog Keylogger Installed - Sending Initial Email Report"; flow:established,to_server; content:"Installation of SC-KeyLog on host "; nocase; content:"<p>You will receive a log report every "; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2002979; classtype:trojan-activity; sid:2002979; rev:4;) #by jholguin (tb-security), re d5d466779b27cfc8e68c73145c5f3b36 # -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET POLICY SC-KeyLog Keylogger Installed - Sending Log Email Report"; flow:established,to_server; content:"SC-KeyLog log report"; nocase; content:"See attached file"; nocase; content:".log"; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2008348; classtype:trojan-activity; sid:2008348; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SC-KeyLog Keylogger Installed - Sending Log Email Report"; flow:established,to_server; content:"SC-KeyLog log report"; nocase; content:"See attached file"; nocase; content:".log"; nocase; reference:url,www.soft-central.net/keylog.php; reference:url,doc.emergingthreats.net/2008348; classtype:trojan-activity; sid:2008348; rev:2;) #by matt Jonkman #TLS/SSL State Machine for 8081 and up @@ -8584,19 +8584,19 @@ #By Chich Thierry # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype VOIP Checking Version (Startup)"; flow: to_server,established; content:"/ui/"; http_uri; nocase; content:"/getlatestversion?ver="; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001595; classtype:policy-violation; sid:2001595; rev:10;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype VOIP Checking Version (Startup)"; flow: to_server,established; content:"/ui/"; http_uri; nocase; content:"/getlatestversion?ver="; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001595; classtype:policy-violation; sid:2001595; rev:10;) #By Chich Thierry # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:10;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:11;) #By Robert Grabowsky # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;) #by Reg Quinton # -#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET POLICY Skype Bootstrap Node (udp)"; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:4;) +#alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET CHAT Skype Bootstrap Node (udp)"; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:4;) #Idea by Martin Holste, sigs by Matt Jonkman #The idea here is that most legitimate exe downloads are more than 1meg, most malicious are far less than 1 meg. @@ -8788,27 +8788,27 @@ #Submitted by an anonymous researcher # -alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY TOR 1.0 Server Key Retrieval"; flow:established,to_server; content:"GET /tor/server/"; depth:16; threshold:type limit, track by_src, count 1, seconds 30; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002950; classtype:policy-violation; sid:2002950; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Server Key Retrieval"; flow:established,to_server; content:"GET /tor/server/"; depth:16; threshold:type limit, track by_src, count 1, seconds 30; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002950; classtype:policy-violation; sid:2002950; rev:6;) #Submitted by an anonymous researcher # -alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY TOR 1.0 Status Update"; flow:established,to_server; content:"GET /tor/status/"; depth:16; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002951; classtype:policy-violation; sid:2002951; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Status Update"; flow:established,to_server; content:"GET /tor/status/"; depth:16; threshold:type limit, track by_src, count 1, seconds 60; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002951; classtype:policy-violation; sid:2002951; rev:5;) #this sig is good as long as the client isn't recompiled to use an identifier other than TOR.. # -alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET POLICY TOR 1.0 Inbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002952; classtype:policy-violation; sid:2002952; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET P2P TOR 1.0 Inbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002952; classtype:policy-violation; sid:2002952; rev:5;) #this sig is good as long as the client isn't recompiled to use an identifier other than TOR.. # -alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET POLICY TOR 1.0 Outbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002953; classtype:policy-violation; sid:2002953; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET P2P TOR 1.0 Outbound Circuit Traffic"; flow:established; content:"TOR"; content:"<identity>"; rawbytes; distance:10; within:35; threshold:type limit, track by_src, count 1, seconds 120; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2002953; classtype:policy-violation; sid:2002953; rev:5;) #by Nathaniel Richmond # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Tor Get Server Request"; flow:established,to_server; content:"/tor/server/"; http_uri; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008113; classtype:policy-violation; sid:2008113; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Tor Get Server Request"; flow:established,to_server; content:"/tor/server/"; http_uri; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008113; classtype:policy-violation; sid:2008113; rev:5;) #by Nathaniel Richmond # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Tor Get Status Request"; flow:established,to_server; content:"/tor/status/"; http_uri; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008115; classtype:policy-violation; sid:2008115; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET P2P Tor Get Status Request"; flow:established,to_server; content:"/tor/status/"; http_uri; nocase; reference:url,tor.eff.org; reference:url,doc.emergingthreats.net/2008115; classtype:policy-violation; sid:2008115; rev:3;) #by Mike Cox # @@ -8838,7 +8838,7 @@ #by Matt Jonkman, sandnetted binary #App on port 20000 for this casino stuff. Not malicious, but likely not allowed in most environments # -alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET POLICY Gold VIP Club Casino Client in Use"; flow:established,to_server; dsize:25; content:"Gold VIP Club Casino"; reference:url,doc.emergingthreats.net/2007746; classtype:policy-violation; sid:2007746; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET GAMES Gold VIP Club Casino Client in Use"; flow:established,to_server; dsize:25; content:"Gold VIP Club Casino"; reference:url,doc.emergingthreats.net/2007746; classtype:policy-violation; sid:2007746; rev:5;) #Submitted by Jason Alvarado # @@ -8989,7 +8989,7 @@ #this sig is to catch HTTP User agents that specify Windows 3.1 as the platform # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"User-Agent\|3a 20\|"; content:"Windows 3.1"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+Windows 3.1/Hi"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 3.1 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"User-Agent\|3a 20\|"; content:"Windows 3.1"; fast_pattern:only; http_header; content:!"Cisco AnyConnect VPN Agent"; http_header; pcre:"/User-Agent\:[^\n]+Windows 3.1/Hi"; reference:url,doc.emergingthreats.net/2011694; classtype:policy-violation; sid:2011694; rev:7;) #by evilghost # @@ -9000,7 +9000,7 @@ #You may also use this to catch any local win98 machines if they're no longer supposed to be in production #(which for goodness sake they shouldn't!! Haven't been patched for years!) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\n]+Windows 98/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:17;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\n]+Windows 98/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:19;) #this sig is to catch HTTP User agents that specify Windows 98 as the platform #Mostly to catch spyware and auto-downloaders that still use these as fake User Agent strings @@ -9141,11 +9141,11 @@ #by Kevin Ross #CISCO TORCH SCAN DETECTION RULES # -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"\|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00\|"; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:3;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SCAN Cisco Torch SNMP Scan"; content:"public"; content:"\|30 0C 06 08 2B 06 01 02 01 01 01 00 05 00\|"; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008597; classtype:attempted-recon; sid:2008597; rev:4;) #by Jack Pepper # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"User-Agent\|3a\| core-project/1.0"; fast_pattern:12,11; http_header; reference:url,doc.emergingthreats.net/2008529; classtype:web-application-activity; sid:2008529; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"User-Agent\|3a\| core-project/1.0"; fast_pattern:12,11; http_header; classtype:web-application-activity; sid:2008529; rev:6;) #Submitted 2006-10-30 by Frank Knobbe # @@ -9269,7 +9269,7 @@ #by Kevin Ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; content:"GET"; http_method; uricontent:"/random"; nocase; pcre:"/\x2Frandom.+\x2E(html\|bat\|htm\|vbs\|do\|xdl\|htr\|swf\|wsdl\|pl\|php3\|cfm\|cgi\|cfc\|axd\|asp)/Ui"; threshold: type threshold, track by_dst, count 20, seconds 40; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Grendel-Scan Web Application Security Scan Detected"; flow:to_server,established; content:"GET"; http_method; content:"/random"; nocase; http_uri; pcre:"/\x2Frandom.+\x2E(html\|bat\|htm\|vbs\|do\|xdl\|htr\|swf\|wsdl\|pl\|php3\|cfm\|cgi\|cfc\|axd\|asp)/Ui"; threshold: type threshold, track by_dst, count 20, seconds 40; reference:url,www.grendel-scan.com; reference:url,doc.emergingthreats.net/2009481; classtype:attempted-recon; sid:2009481; rev:6;) #by JP Vossen and Safka : http://library.pantek.com/Mailing%20Lists/snort.org/snort-sigs/03/08/1120.html # @@ -9311,19 +9311,19 @@ #by evilghost # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP GET invalid method case"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011031; classtype:bad-unknown; sid:2011031; rev:7;) #by evilghost # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post"; http_method; nocase; content:!"POST"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP POST invalid method case"; flow:established,to_server; content:"post"; http_method; nocase; content:!"POST"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011032; classtype:bad-unknown; sid:2011032; rev:6;) #by evilghost # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head"; http_method; nocase; content:!"HEAD"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP HEAD invalid method case"; flow:established,to_server; content:"head"; http_method; nocase; content:!"HEAD"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011033; classtype:bad-unknown; sid:2011033; rev:8;) #by evilghost # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP OPTIONS invalid method case"; flow:established,to_server; content:"options"; http_method; nocase; content:!"OPTIONS"; http_method; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; reference:url,doc.emergingthreats.net/2011034; classtype:bad-unknown; sid:2011034; rev:5;) #by Kevin Ross # @@ -9434,7 +9434,7 @@ #by will metcalf # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; content:"User-Agent\|3a\| "; http_header; content:" Netsparker)\|0d 0a\|"; http_header; fast_pattern; within:200; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.mavitunasecurity.com/communityedition/; reference:url,doc.emergingthreats.net/2011029; classtype:attempted-recon; sid:2011029; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Netsparker Default User-Agent"; flow:to_server,established; content:"User-Agent\|3a\| "; http_header; content:" Netsparker)\|0d 0a\|"; http_header; fast_pattern; within:200; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.mavitunasecurity.com/communityedition/; classtype:attempted-recon; sid:2011029; rev:7;) #by will metcalf # @@ -9639,7 +9639,7 @@ #Works for other proto's, may as well extend the idea # -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:misc-activity; sid:2001972; rev:16;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Inbound)"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,doc.emergingthreats.net/2001972; classtype:misc-activity; sid:2001972; rev:17;) #Scanner using this UA, looking for many common vulns # @@ -9868,7 +9868,7 @@ #by evilghost # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent\|3a\| iexp"; http_header; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Baidu.com Related Agent User-Agent (iexp)"; flow:to_server,established; content:"User-Agent\|3a\| iexp\|0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/2003608; classtype:trojan-activity; sid:2003608; rev:9;) #by evilghost # @@ -9892,7 +9892,7 @@ #by Pedro Marinho # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com User-Agent (Browser Adv)"; flow: to_server,established; content:"Browser Adv"; http_header; fast_pattern:only; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/2001295; classtype:trojan-activity; sid:2001295; rev:26;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Browseraid.com User-Agent (Browser Adv)"; flow: to_server,established; content:"Browser Adv"; http_header; fast_pattern:only; reference:url,www.browseraid.com; reference:url,doc.emergingthreats.net/2001295; classtype:trojan-activity; sid:2001295; rev:27;) #by Pedro Marinho # @@ -10086,7 +10086,7 @@ #errclean.com related, by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)"; flow:to_server,established; content:"User-Agent\|3a\| Locus"; http_header; reference:url,doc.emergingthreats.net/2007845; classtype:trojan-activity; sid:2007845; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)"; flow:to_server,established; content:"User-Agent\|3a\| Locus "; http_header; reference:url,doc.emergingthreats.net/2007845; classtype:trojan-activity; sid:2007845; rev:8;) #errclean.com related, by matt jonkman # @@ -10134,7 +10134,7 @@ #by Jaime Blasco # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts)"; flow: established,to_server; content:"FunWebProducts\|3b\|"; http_header; pcre:"/User-Agent\:[^\n]+FunWebProducts/Hi"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001855; classtype:trojan-activity; sid:2001855; rev:30;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts)"; flow: established,to_server; content:"FunWebProducts"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+FunWebProducts/Hi"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001855; classtype:trojan-activity; sid:2001855; rev:32;) #by pedro marinho # @@ -10170,7 +10170,7 @@ #by pedro marinho # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AskSearch Toolbar Spyware User-Agent (AskTBar)"; flow:to_server,established; content:"\|3b\| AskTb"; http_header; pcre:"/User-Agent\x3a[^\n]+AskTB/iH"; reference:url,doc.emergingthreats.net/2003494; classtype:policy-violation; sid:2003494; rev:20;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AskSearch Toolbar Spyware User-Agent (AskTBar)"; flow:to_server,established; content:"\|3b\| AskTb"; http_header; pcre:"/User-Agent\x3a[^\n]+AskTB/iH"; reference:url,doc.emergingthreats.net/2003494; classtype:policy-violation; sid:2003494; rev:22;) #by pedro marinho # @@ -10480,7 +10480,7 @@ #by: Jeremy Conway at sudosecure.net #ref: 8082ad1a9be4fb87312e2852c1647dd9 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; content:"User-Agent\|3a\| Mbar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003928; classtype:trojan-activity; sid:2003928; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; content:"User-Agent\|3a\| Mbar\|0d 0a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003928; classtype:trojan-activity; sid:2003928; rev:8;) #by: Jeremy Conway at sudosecure.net #ref: 8082ad1a9be4fb87312e2852c1647dd9 @@ -10520,7 +10520,7 @@ #by: Jeremy Conway at sudosecure.net #ref: 8082ad1a9be4fb87312e2852c1647dd9 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; content:"User-Agent\|3a\|"; http_header; content:" MySearch"; fast_pattern; within:150; pcre:"/User-Agent\x3a[^\n]+MySearch/iH"; reference:url,doc.emergingthreats.net/2002080; classtype:trojan-activity; sid:2002080; rev:25;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; content:" MySearch"; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+MySearch/iH"; reference:url,doc.emergingthreats.net/2002080; classtype:trojan-activity; sid:2002080; rev:26;) #by: Jeremy Conway at sudosecure.net #ref: 8082ad1a9be4fb87312e2852c1647dd9 @@ -10642,7 +10642,7 @@ #by pedro marinho # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent\|3a\| Save"; http_header; reference:url,doc.emergingthreats.net/2011120; classtype:trojan-activity; sid:2011120; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent\|3a\| Save\|0d 0a\|"; http_header; reference:url,poweredbysave.com; classtype:trojan-activity; sid:2011120; rev:8;) #by pedro marinho # @@ -10714,7 +10714,7 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; content:"User-Agent\|3a\| SpyLocked"; nocase; http_header; reference:url,doc.emergingthreats.net/2005322; classtype:trojan-activity; sid:2005322; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; content:"User-Agent\|3a\| SpyLocked"; nocase; http_header; classtype:trojan-activity; sid:2005322; rev:7;) #from spyware listening post data # @@ -10770,7 +10770,7 @@ #by evilghost # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; nocase; http_header; fast_pattern:5,20; content:!"/CallParrotWebClient/"; http_uri; content:!"Host\|3a\| www\|2e\|google\|2e\|com\|0d 0a\|"; nocase; http_header; content:!"PREF\|3d\|ID\|3d\|"; nocase; http_cookie; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:13;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; nocase; http_header; fast_pattern:5,20; content:!"/CallParrotWebClient/"; http_uri; content:!"Host\|3a\| www\|2e\|google\|2e\|com\|0d 0a\|"; nocase; http_header; content:!"PREF\|3d\|ID\|3d\|"; nocase; http_cookie; content:!"Host\|3a\|secure\|2e\|logmein\|2e\|com\|0d 0a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:14;) #by evilghost # @@ -10842,7 +10842,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; content:"User-Agent\|3a\| TEST\|0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:trojan-activity; sid:2006357; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; content:"User-Agent\|3a\| TEST\|0d 0a\|"; http_header; content:!"Host\|3a 20\|messagecenter.comodo.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:trojan-activity; sid:2006357; rev:8;) #Pluses in a UA, suspicious as well # @@ -11113,7 +11113,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ErrCode)"; flow:established,to_server; content:"User-Agent\|3a\| ErrCode\|0d 0a\|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008378; classtype:trojan-activity; sid:2008378; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (ErrCode)"; flow:established,to_server; content:"User-Agent\|3a\| ErrCode"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008378; classtype:trojan-activity; sid:2008378; rev:12;) #Pluses in a UA, suspicious as well # @@ -11357,7 +11357,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pingbed/Downbot User-Agent (Windows+NT+5.1)"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; content:"Windows+NT+5"; http_header; within:128; fast_pattern; reference:url,doc.emergingthreats.net/2009486; classtype:trojan-activity; sid:2009486; rev:14;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT1 WEBC2-UGX Related Pingbed/Downbot User-Agent (Windows+NT+5.x)"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; content:"Windows+NT+5"; http_header; within:128; fast_pattern; flowbits:set,ET.webc2ugx; reference:url,www.mandiant.com/apt1; reference:md5,14cfaefa5b8bc6400467fba8af146b71; classtype:trojan-activity; sid:2009486; rev:16;) #Pluses in a UA, suspicious as well # @@ -11499,7 +11499,7 @@ #by stillsecure #re 5823f6065f5e2e49cd011e6acdd23bd9 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"User-Agent\|3a\| SOGOU_UPDATER\|0d 0a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011719; classtype:trojan-activity; sid:2011719; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER)"; flow:established,to_server; content:"User-Agent\|3a\| SOGOU_UPDATER\|0d 0a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011719; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Program%3aWin32%2fSogou; classtype:trojan-activity; sid:2011719; rev:6;) #2010-07-14 By Pedro Marinho #002170330780b29686abccef42c4ce35 @@ -11720,7 +11720,7 @@ #by pmarinho # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent\|3a\| ZCOM"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/2008503; classtype:trojan-activity; sid:2008503; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"User-Agent\|3a\| ZCOM"; http_header; classtype:policy-violation; sid:2008503; rev:9;) #From Chris Norton. # @@ -11809,7 +11809,7 @@ #from sandnet data #Disabling by default, hits on the VB api, not unique to this virus. # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Bancos User-Agent Detected"; flow:established,to_server; content:"User-Agent\|3A\| vb wininet"; http_header; nocase; reference:url,doc.emergingthreats.net/2004114; classtype:trojan-activity; sid:2004114; rev:5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Bancos User-Agent Detected vb wininet"; flow:established,to_server; content:"User-Agent\|3A\| vb wininet"; http_header; nocase; reference:url,doc.emergingthreats.net/2004114; classtype:trojan-activity; sid:2004114; rev:5;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman # @@ -11989,7 +11989,7 @@ #matt jonkman, re 1f8169a4694ec450a9f247469b7cbaf4 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST"; flow:established,to_server; content:"Admin="; depth:6; http_client_body; content:"&UserName="; within:25; content:"&IsProxy="; within:50; flowbits:isset,ET.bd1; reference:url,doc.emergingthreats.net/2009241; classtype:trojan-activity; sid:2009241; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST"; flow:established,to_server; content:"Admin="; depth:6; http_client_body; content:"&UserName="; http_client_body; within:25; content:"&IsProxy="; http_client_body; within:50; flowbits:isset,ET.bd1; reference:url,doc.emergingthreats.net/2009241; classtype:trojan-activity; sid:2009241; rev:5;) #Matt Jonkman, analysis from captured binary #Don't know a lot about this one. But the control session is apparently opened by a 00 00 00 00 @@ -12290,7 +12290,7 @@ #by matt Jonkman, from sandnet analysis # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Basine Trojan Checkin"; flow:established,to_server; dsize:>1000; content:"a="; http_client_body; content:"&b=reported"; fast_pattern; distance:0; within:40; content:"&d=report"; distance:0; within:40; reference:url,doc.emergingthreats.net/2007692; classtype:trojan-activity; sid:2007692; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Basine Trojan Checkin"; flow:established,to_server; dsize:>1000; content:"a="; http_client_body; content:"&b=reported"; fast_pattern; distance:0; within:40; http_client_body; content:"&d=report"; http_client_body; distance:0; within:40; reference:url,doc.emergingthreats.net/2007692; classtype:trojan-activity; sid:2007692; rev:7;) #by Darren Spruell # @@ -12302,7 +12302,7 @@ #by jerry at cybercave # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; nocase; pcre:"/\/ff\.ie\?rnd=\d/Ui"; content:"p="; http_client_body; nocase; content:"&ot="; nocase; distance:0; content:"&njeb="; distance:0; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010565; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; nocase; fast_pattern:only; pcre:"/\/ff\.ie\?rnd=\x2d?\d/Ui"; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010565; rev:11;) #by deapesh misra # @@ -12354,14 +12354,14 @@ #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent\|3a\| Internet Explorer\|0d 0a\|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; distance:0; reference:url,doc.emergingthreats.net/2009297; classtype:trojan-activity; sid:2009297; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Boaxxe HTTP POST Checkin"; flow:established,to_server; content:"/u/"; http_uri; content:"POST"; nocase; http_method; content:"user-Agent\|3a\| Internet Explorer\|0d 0a\|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; reference:url,doc.emergingthreats.net/2009297; classtype:trojan-activity; sid:2009297; rev:8;) #this really isn't Kraken, appears to really be bobax, but reported as kraken. #These sigs are a first attempt, hopefully this will improve #disabling, we should delete these soon, like in july 2010 #matt # -#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008103; rev:3;) +##alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008103; rev:4;) #this really isn't Kraken, appears to really be bobax, but reported as kraken. #These sigs are a first attempt, hopefully this will improve @@ -12389,14 +12389,14 @@ #disabling, we should delete these soon, like in july 2010 #matt # -#alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008107; rev:3;) +##alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008107; rev:4;) #this really isn't Kraken, appears to really be bobax, but reported as kraken. #These sigs are a first attempt, hopefully this will improve #disabling, we should delete these soon, like in july 2010 #matt # -#alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008108; rev:3;) +##alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008108; rev:4;) #this really isn't Kraken, appears to really be bobax, but reported as kraken. #These sigs are a first attempt, hopefully this will improve @@ -12410,7 +12410,7 @@ #disabling, we should delete these soon, like in july 2010 #matt # -#alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008110; rev:3;) +##alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008110; rev:4;) #Bofra Worm #submitted by Matt Jonkman, additions by David Maciejak - Bofra Worm @@ -12447,11 +12447,11 @@ #Bredolab Infection # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; http_uri; nocase; pcre:"/\/get\d\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2010071; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; http_uri; nocase; pcre:"/\/get\d\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; flowbits:set,ET.Hiloti; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2010071; rev:8;) #Bredolab Infection # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Infection - Windows Key"; flow:established,to_server; content:"?s=Windows"; nocase; http_uri; content:"&p="; nocase; http_uri; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/"; reference:url,doc.emergingthreats.net/2010072; classtype:trojan-activity; sid:2010072; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Infection - Windows Key"; flow:established,to_server; content:"?s=Windows"; nocase; http_uri; content:"&p="; nocase; http_uri; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/U"; reference:url,doc.emergingthreats.net/2010072; classtype:trojan-activity; sid:2010072; rev:6;) #by evilghost # @@ -12499,7 +12499,7 @@ #by Darren Spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"os="; http_client_body; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; fast_pattern; distance:0; content:"&data="; distance:0; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:trojan-activity; sid:2010217; rev:10;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"os="; http_client_body; nocase; content:"&ver="; nocase; http_client_body; distance:0; content:"&idx="; http_client_body; nocase; distance:0; content:"&user="; http_client_body; nocase; distance:0; content:"&ioctl="; http_client_body; nocase; fast_pattern; distance:0; content:"&data="; http_client_body; distance:0; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; classtype:trojan-activity; sid:2010217; rev:11;) #by Jeffrey Brown at synacktip # @@ -12531,7 +12531,7 @@ #by Marcus at unsober, re 68926f2883af13d6001126aae4345dab # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; within:20; content:"&affid="; http_client_body; content:"="; within:5; content:"&subid="; http_client_body; content:"=="; within:5; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:trojan-activity; sid:2008442; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"gd="; http_client_body; content:"=="; within:20; http_client_body; content:"&affid="; http_client_body; content:"="; within:5; http_client_body; content:"&subid="; http_client_body; content:"=="; within:5; http_client_body; content:"&prov="; http_client_body; reference:url,doc.emergingthreats.net/2008442; classtype:trojan-activity; sid:2008442; rev:10;) #by darren spruell # @@ -12728,7 +12728,7 @@ #delf keylog upload, kinda flimsy but works # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf HTTP Post Checkin (1)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"Content-type\|3a\| image/gif"; http_header; content:"x\|da\|"; http_client_body; depth:2; content:"\|0d 0a\|Content-type\|3a\| image/gif\|0d 0a 0d 0a\|x\|da\|"; content:!"User-Agent\|3a\| "; http_header; reference:url,doc.emergingthreats.net/2007867; classtype:trojan-activity; sid:2007867; rev:8;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Delf HTTP Post Checkin (1)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"Content-type\|3a\| image/gif"; http_header; content:"x\|da\|"; http_client_body; depth:2; content:"\|0d 0a\|Content-type\|3a\| image/gif\|0d 0a 0d 0a\|x\|da\|"; content:!"User-Agent\|3a\| "; http_header; reference:url,doc.emergingthreats.net/2007867; classtype:trojan-activity; sid:2007867; rev:9;) #by Victor Julien # @@ -12916,7 +12916,7 @@ #Matt Jonkman, thanks to the Clam guys for the information and sample # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-1355 Checking In"; flow:established,to_server; content:"/adload.php?a1="; nocase; http_uri; content:"a3="; nocase; http_uri; content:"&a4="; nocase; http_uri; content:"&a5="; nocase; http_uri; content:!"User-Agent\|3a\|"; http_header; content:"Host\|3a\|"; http_header; reference:url,doc.emergingthreats.net/2003408; classtype:trojan-activity; sid:2003408; rev:5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zhelatin Variant Checkin"; flow:established,to_server; content:"/adload.php?a1="; nocase; http_uri; content:"a3="; nocase; http_uri; content:"&a4="; nocase; http_uri; content:"&a5="; nocase; http_uri; content:!"User-Agent\|3a\|"; http_header; content:"Host\|3a\|"; http_header; reference:url,doc.emergingthreats.net/2003408; classtype:trojan-activity; sid:2003408; rev:8;) #by axn jxn # @@ -13038,7 +13038,7 @@ #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"User-Agent\|3a\| cv_v"; http_header; nocase; reference:url,doc.emergingthreats.net/2007926; classtype:trojan-activity; sid:2007926; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"User-Agent\|3a\| cv_v"; http_header; nocase; reference:url,doc.emergingthreats.net/2007926; classtype:trojan-activity; sid:2007926; rev:3;) #by matt jonkman # @@ -13116,7 +13116,7 @@ #Sig by Daniel Clemens # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; classtype:trojan-activity; sid:2008546; rev:7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; content:"&uid="; http_uri; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; classtype:trojan-activity; sid:2008546; rev:7;) #by jeremy at sudosecure #ref: c2a3a87735f8c5e11de82c52c94aefc7 @@ -13322,15 +13322,15 @@ #these are more permanent, C&C related # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tlog.php?logn="; http_uri; pcre:"/\/tlog\.php?logn=[^\s]+&pss=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007683; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tlog.php?logn="; http_uri; pcre:"/\/tlog\.php\?logn=[^\s]+&pss=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007683; rev:12;) #these are more permanent, C&C related # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ntarg.php?"; http_uri; pcre:"/ntarg\.php?[^\s](notdoing=\|howme=\|uname=)/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007684; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ntarg.php?"; http_uri; pcre:"/ntarg\.php\?[^\s](notdoing\|howme\|uname)=/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007684; rev:12;) #these are more permanent, C&C related # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tnewu.php?nlogin="; http_uri; pcre:"/\/tnewu.php?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007685; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tnewu.php?nlogin="; http_uri; pcre:"/\/tnewu\.php\?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]/U"; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; classtype:trojan-activity; sid:2007685; rev:12;) #these are more permanent, C&C related # @@ -13386,7 +13386,7 @@ #marcus at unsober, update by darren spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emo/Downloader.uxk checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&id="; http_uri; content:"&rs="; http_uri; fast_pattern; content:"&cc="; http_uri; reference:url,doc.emergingthreats.net/2008452; classtype:trojan-activity; sid:2008452; rev:9;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Emo/Downloader.uxk checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"v="; http_uri; content:"&id="; http_uri; content:"&rs="; http_uri; fast_pattern; content:"&cc="; http_uri; reference:url,doc.emergingthreats.net/2008452; classtype:trojan-activity; sid:2008452; rev:10;) #by matt jonkman # @@ -13439,7 +13439,7 @@ #by evilghost and mike cox # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent\|3a\| "; http_header; nocase; content:!"Referer\|3a\| "; nocase; http_header; content:"current_version="; http_client_body; pcre:"/current_version=[a-z0-9]{196,}/Pi"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent\|3a\| "; http_header; nocase; content:!"Referer\|3a\| "; nocase; http_header; content:"current_version="; http_client_body; pcre:"/current_version=[a-z0-9]{196}/Pi"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:8;) #by evilghost # @@ -13578,7 +13578,7 @@ #Matt Jonkman #General signs of trojan infections.... # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; fast_pattern; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; fast_pattern; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:5;) #matt jonkman, used by many uploaders # @@ -13586,7 +13586,7 @@ #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin likely Variant.TDss.33"; flow:to_server,established; content:"magic="; nocase; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; reference:url,doc.emergingthreats.net/2008523; reference:url,www.threatexpert.com/report.aspx?md5=0e800d2cf26790d25ec6b50b88b0c6dd; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:trojan-activity; sid:2008523; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Win32.Fackemo.g/Katusha/FakeAlert Checkin"; flow:to_server,established; content:"POST"; http_method; content:"magic="; http_uri; content:"&id="; http_uri; content:"&cache="; http_uri; content:"&tm="; http_uri; content:"&ox="; http_uri; content:!"Mozilla"; http_header; reference:md5,29457bd7a95e11bfd0e614a6e237a344; reference:md5,173a060ed791e620c2ec84d7b360ed60; reference:url,www.bugbopper.com/NameLookup.asp?Name=Packed_Win32_TDSS_o; classtype:trojan-activity; sid:2008523; rev:6;) #Matt Jonkman # @@ -13594,7 +13594,7 @@ #by victort julien # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious Malformed Double Accept Header"; flow:established,to_server; content:"Accept\|3a\| Accept\|3a\| "; http_header; reference:url,doc.emergingthreats.net/2008975; classtype:trojan-activity; sid:2008975; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious Malformed Double Accept Header"; flow:established,to_server; content:"Accept\|3a\| Accept\|3a\| "; http_header; content:!"-DRM"; http_header; content:!"buhphone.ru\|0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/2008975; classtype:trojan-activity; sid:2008975; rev:11;) #by joe stewart and bojan zdrjna # @@ -13629,7 +13629,7 @@ #by marcus at unsober # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Crack by bahman"; flow:established; content:"POST"; nocase; http_method; content:"&message=\|2b\|keylogger\|2b\|Crack\|2b\|By\|2b 25 32 31 25 32 31 25 32 31\|...bahman"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Crack by bahman"; flow:established,to_server; content:"POST"; nocase; http_method; content:"&message=\|2b\|keylogger\|2b\|Crack\|2b\|By\|2b 25 32 31 25 32 31 25 32 31\|...bahman"; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008369; classtype:trojan-activity; sid:2008369; rev:6;) #by Jeffrey Brown # @@ -13654,7 +13654,7 @@ #by: Jeremy Conway at sudosecure.net #ref: 3ef704eaa54118d277d52a1fe9bbcaa4 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent\|3a\|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent\|3a\|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:6;) #by bojan # @@ -13749,7 +13749,7 @@ #Trojan HaxDoor #Submitted by Tom Fischer, 2006-01-24, modified 2/2/06 on info from chris, reference update from darren spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Haxdoor Reporting User Activity 2"; flow:established,to_server; content:"?param="; http_uri; content:"&socksport="; http_uri; content:"&httpport="; http_uri; content:"&uptime"; http_uri; content:"&uid="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2002929; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; classtype:trojan-activity; sid:2002929; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Haxdoor Reporting User Activity 2"; flow:established,to_server; content:"param="; http_uri; content:"&socksport="; http_uri; content:"&httpport="; fast_pattern:only; http_uri; content:"&uptime"; http_uri; content:"&uid="; http_uri; content:"&ver="; http_uri; reference:url,doc.emergingthreats.net/2002929; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; reference:md5,0995ecb8bb78f510ae995a50be0c351a; classtype:trojan-activity; sid:2002929; rev:7;) #by evilghost # @@ -13823,7 +13823,7 @@ #from sandnet # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (RAV1.23)"; flow:established,to_server; content:"User-Agent\|3a\| RAV"; nocase; http_header; pcre:"/^User-Agent\x3a RAV\d\.\d\d/Hm"; reference:url,doc.emergingthreats.net/2007661; classtype:trojan-activity; sid:2007661; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (RAV1.23)"; flow:established,to_server; content:"User-Agent\|3a\| RAV"; http_header; pcre:"/^User-Agent\x3a RAV\d\.\d\d/Hm"; reference:url,doc.emergingthreats.net/2007661; classtype:trojan-activity; sid:2007661; rev:5;) #from sandnet # @@ -13941,7 +13941,7 @@ ### Alternate path to is_proto_irc, Catch PING/PONG. # -alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PONG response"; flow:from_server,established; content:"PONG\|20\|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:16;) +alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG\|20\|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:18;) #Bot potty # @@ -14289,7 +14289,7 @@ #by jerry at cybercave # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface C&C availability check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/achcheck.php"; nocase; http_uri; flowbits:set,ET.koobfacecheck; flowbits:noalert; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010151; classtype:trojan-activity; sid:2010151; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface C&C availability check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/achcheck.php"; nocase; http_uri; flowbits:set,ET.koobfacecheck; reference:url,us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf; reference:url,doc.emergingthreats.net/2010151; classtype:trojan-activity; sid:2010151; rev:7;) #by jerry at cybercave # @@ -14435,7 +14435,7 @@ #by Matt Jonkman, MBR Virus related # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ld/mat"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_client_body; depth:3; content:"&hit="; http_client_body; reference:url,doc.emergingthreats.net/2007747; classtype:trojan-activity; sid:2007747; rev:6;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ld/mat"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_client_body; depth:3; content:"&hit="; http_client_body; reference:url,doc.emergingthreats.net/2007747; classtype:trojan-activity; sid:2007747; rev:6;) #by Victor Julien #Ikarus: AdWare.Win32.MWGuide, @@ -14514,7 +14514,7 @@ #from Matt Richard with Verisign Security Services / iDefense # -alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"ACCEPT\|3A\|"; nocase; within:300; content:"POST\|2C\|"; fast_pattern; nocase; within:100; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"ACCEPT\|3A\|"; nocase; within:300; content:"POST\|2C\|"; fast_pattern; nocase; within:100; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:8;) #Matt Jonkman # @@ -14534,7 +14534,7 @@ #by Darren Spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"Accept-Language\|3a 20\|en-en\|0d 0a\|"; fast_pattern:only; http_header; content:"\|3b\|Windows\|20\|"; http_header; reference:url,doc.emergingthreats.net/2009125; classtype:trojan-activity; sid:2009125; rev:11;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.Inject.esi/Comfoo Outbound Communication"; flow:established,to_server; content:"Accept-Language\|3a 20\|en-en\|0d 0a\|"; content:"\|3b\|Windows\|20\|"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/2009125; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2009125; rev:15;) #by Philipp Bescht #ref: 965583b539fb59b643c7bdd83e269a7e @@ -14576,7 +14576,7 @@ #by Matt Jonkman, from sandnet # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption\|3a\| on\|0d 0a\|Content-Length\|3a\| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:6;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nulprot Checkin Response"; flow:established,from_server; content:"200"; http_stat_code; content:"Encryption\|3a\| on\|0d 0a\|Content-Length\|3a\| "; http_header; depth:32; reference:url,doc.emergingthreats.net/2007669; classtype:trojan-activity; sid:2007669; rev:7;) #ref: 6b4ef50e3e21205685cea919ebf93476 # @@ -14616,11 +14616,11 @@ #by darren spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:".php?l="; fast_pattern; nocase; http_uri; content:"&u="; nocase; http_uri; content:"Accept-Encoding\|3a\|"; http_header; nocase; content:"Referer\|3a\| "; http_header; nocase; pcre:"/^Accept-Encoding\x3a\s+([a-z])\1{3,}/Hmi"; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010283; classtype:trojan-activity; sid:2010283; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; content:".php?l="; fast_pattern; nocase; http_uri; content:"&u="; nocase; http_uri; content:"Accept-Encoding\|3a\|"; http_header; nocase; content:"Referer\|3a\| "; http_header; nocase; pcre:"/^Accept-Encoding\x3a\s+([a-z])\1{3}/Hmi"; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; reference:url,doc.emergingthreats.net/2010283; classtype:trojan-activity; sid:2010283; rev:8;) #matt jonkman, re 9fcea128aeff455ff8f6c9558dd150fd # -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"\|0d 0a\|X-Priority\|3a\| 3\|0d 0a\|X-Library\|3a\| Indy "; content:"\|0d 0a 0d 0a\|Optix Pro v"; distance:4; within:25; reference:url,en.wikipedia.org/wiki/Optix_Pro; reference:url,doc.emergingthreats.net/2008212; classtype:trojan-activity; sid:2008212; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Optix Pro Trojan/Keylogger Reporting Installation via Email"; flow:established,to_server; content:"Optix Pro v"; content:"Installed Trojan Port\|3a\|"; distance:0; reference:url,en.wikipedia.org/wiki/Optix_Pro; classtype:trojan-activity; sid:2008212; rev:5;) #matt jonkman, re 9fcea128aeff455ff8f6c9558dd150fd # @@ -14640,7 +14640,7 @@ #by Russ McRee of expedia.com # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea.php?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea\.php\?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:6;) #by Russ McRee of expedia.com # @@ -14685,43 +14685,43 @@ #by Tom Fischer # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch Reporting User Activity"; flow:established,to_server; content:".php?ut="; nocase; http_uri; content:"&idr="; nocase; http_uri; content:"&lang="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002812; classtype:trojan-activity; sid:2002812; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PWS-LDPinch Reporting User Activity"; flow:established,to_server; content:".php?ut="; nocase; http_uri; content:"&idr="; nocase; http_uri; content:"&lang="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2002812; classtype:trojan-activity; sid:2002812; rev:5;) #New by Matt Jonkman, re 0a7b2d160c90af079dbe560b38c89d3f in sandnet # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:8;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:10;) #New by Matt Jonkman, re 0a7b2d160c90af079dbe560b38c89d3f in sandnet # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data (2)"; flow:established,to_server; dsize:>400; content:"POST / HTTP/1.1"; depth:15; content:!"User-Agent\|3a\| BDNC"; http_header; content:"a="; http_client_body; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PWS-LDPinch posting data (2)"; flow:established,to_server; dsize:>400; content:"POST / HTTP/1.1"; depth:15; content:!"User-Agent\|3a\| BDNC"; http_header; content:"a="; http_client_body; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:8;) #more pinch # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; fast_pattern; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:11;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; nocase; content:"&d="; fast_pattern; http_client_body; nocase; content:".bin&c="; http_client_body; reference:url,doc.emergingthreats.net/2007828; classtype:trojan-activity; sid:2007828; rev:13;) #more pinch # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (3)"; flow:established,to_server; content:"a="; offset:0; depth:2; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:trojan-activity; sid:2007862; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (3)"; flow:established,to_server; content:"a="; offset:0; depth:2; content:"&b=Passes from"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2007862; classtype:trojan-activity; sid:2007862; rev:11;) #more pinch # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (4)"; flow:established,to_server; content:"a="; offset:0; depth:2; content:"&b=Pinch"; nocase; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008061; classtype:trojan-activity; sid:2008061; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (4)"; flow:established,to_server; content:"a="; offset:0; depth:2; content:"&b=Pinch"; nocase; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008061; classtype:trojan-activity; sid:2008061; rev:5;) #more pinch # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (8)"; flow:established,to_server; content:"/view.php"; nocase; http_uri; content:"a="; content:"&b=Passes"; distance:0; content:"&d=Pass"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008091; classtype:trojan-activity; sid:2008091; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (8)"; flow:established,to_server; content:"/view.php"; nocase; http_uri; content:"a="; content:"&b=Passes"; distance:0; content:"&d=Pass"; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008091; classtype:trojan-activity; sid:2008091; rev:4;) #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN LDPinch SMTP Password Report"; flow:established,to_server; content:"Subject\|3a\| Passes from "; depth:21; content:"\|0d 0a\|Content-Disposition\|3a\| attachment\; filename=\"report.bin\""; distance:0; reference:url,doc.emergingthreats.net/2008034; classtype:trojan-activity; sid:2008034; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN LDPinch SMTP Password Report"; flow:established,to_server; content:"Subject\|3a\| Passes from"; nocase; fast_pattern; content:"application/octet-stream\|3b\|"; content:".bin"; distance:0; within:100; reference:url,doc.emergingthreats.net/2008034; classtype:trojan-activity; sid:2008034; rev:6;) #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin (9)"; flow:established,to_server; dsize:>1000; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin (9)"; flow:established,to_server; dsize:>1000; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a=&b=&d=&c="; http_client_body; reference:url,doc.emergingthreats.net/2008213; classtype:trojan-activity; sid:2008213; rev:8;) #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET TROJAN LDPinch Checkin on Port 82"; flow:established,to_server; content:".php"; nocase; content:"a="; content:"&b=Pinch"; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008354; classtype:trojan-activity; sid:2008354; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 82 (msg:"ET DELETED LDPinch Checkin on Port 82"; flow:established,to_server; content:".php"; nocase; content:"a="; content:"&b=Pinch"; distance:0; content:"&d="; distance:0; content:"&c="; distance:0; reference:url,doc.emergingthreats.net/2008354; classtype:trojan-activity; sid:2008354; rev:5;) #Marcus at unsober # @@ -14739,7 +14739,7 @@ #by Jeremy at sudosecure #ref: 04406e913a0070eac26df3627a7a05c1 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin v2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; fast_pattern; nocase; http_uri; content:"application\|2F\|x-www-form-urlencoded\|0D 0A\|"; http_header; content:"a="; depth:2; http_client_body; nocase; content:"b="; http_client_body; nocase; content:"d="; http_client_body; nocase; content:"c="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008469; classtype:trojan-activity; sid:2008469; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Checkin v2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; fast_pattern; nocase; http_uri; content:"application\|2F\|x-www-form-urlencoded\|0D 0A\|"; http_header; content:"a="; depth:2; http_client_body; nocase; content:"b="; http_client_body; nocase; content:"d="; http_client_body; nocase; content:"c="; http_client_body; nocase; reference:url,doc.emergingthreats.net/2008469; classtype:trojan-activity; sid:2008469; rev:7;) #matt jonkman, re 3663a14f15dbee42422fc8685740f493 # @@ -15043,7 +15043,7 @@ #by Myron Davis # -alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET TROJAN Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:4;) +##alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET DELETED Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:6;) #matt jonkman # @@ -15117,7 +15117,7 @@ #by Matt Jonkman # -alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"ET TROJAN Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"HTTP/1.0 200 OK\|0d 0a\|Encryption\|3a\| on\|0d 0a\|"; offset:0; depth:33; reference:url,doc.emergingthreats.net/2007752; classtype:trojan-activity; sid:2007752; rev:4;) +alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"ET TROJAN Saturn Proxy Checkin Response"; flow:established,from_server; flowbits:isset,ET.saturn.checkin; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Encryption\|3a\| on\|0d 0a\|"; depth:16; reference:url,doc.emergingthreats.net/2007752; classtype:trojan-activity; sid:2007752; rev:5;) #this is a C&C, may or may not be unique to each variant, need to learn more about it... #by Matt Jonkman @@ -15151,11 +15151,11 @@ #by Jeffrey Brown # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/Mebroot Client POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"\|0d 0a\|Connection\|3a\| close\|0d 0a 0d 0a a9 3a d4 31 4b 84\|"; fast_pattern; reference:url,doc.emergingthreats.net/2008520; classtype:trojan-activity; sid:2008520; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sinowal/Mebroot/Torpig Client POST"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"\|0d 0a\|Connection\|3a\| close\|0d 0a 0d 0a a9 3a d4 31 4b 84\|"; fast_pattern; reference:url,doc.emergingthreats.net/2008520; classtype:trojan-activity; sid:2008520; rev:6;) #by Pedro Marinho # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Sinowal Phoning Home"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/ld/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Sinowal/Torpig Phoning Home"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/ld/"; nocase; http_uri; content:".php"; nocase; http_uri; content:"id="; http_uri; content:"&n="; http_uri; content:"&try="; http_uri; reference:url,doc.emergingthreats.net/2008580; classtype:trojan-activity; sid:2008580; rev:5;) #by Marcus at unsober.org # @@ -15265,7 +15265,7 @@ #by Darren Spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0; reference:url,doc.emergingthreats.net/2010789; classtype:trojan-activity; sid:2010789; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Bot Checkin"; flow:established,to_server; content:".php?guid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&stat="; nocase; http_uri; content:"&cpu="; nocase; http_uri; content:"&ccrc="; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-020216-0135-99; reference:url,malwareint.blogspot.com/2010/01/spyeye-new-bot-on-market.html; reference:url,www.threatexpert.com/report.aspx?md5=2b8a408b56eaf3ce0198c9d1d8a75ec0; reference:url,doc.emergingthreats.net/2010789; classtype:trojan-activity; sid:2010789; rev:5;) #matt jonkman # @@ -15470,7 +15470,7 @@ #by dxp # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?o="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?o="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:6;) #Description of parameters: #?o= integer value to identify attacker @@ -15652,7 +15652,7 @@ #by marcus at unsober #re: 3cc737de7ffdb084ae969a7d25dc4c06 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Trojan Check-in (3)"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".asp"; http_uri; content:"?username="; http_uri; content:"&serverMac="; http_uri; content:"&edition="; pcre:"/.asp\?username=.+&serverMac=([0-9A-F]{2}-){5}[0-9A-F]{2}&edition=/Ui"; reference:url,doc.emergingthreats.net/2009532; classtype:trojan-activity; sid:2009532; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BackDoor-EGB Check-in"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".asp"; http_uri; content:"?username="; http_uri; content:"&serverMac="; http_uri; content:"&edition="; pcre:"/.asp\?username=.+&serverMac=([0-9A-F]{2}-){5}[0-9A-F]{2}&edition=/Ui"; reference:url,doc.emergingthreats.net/2009532; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=239060; classtype:trojan-activity; sid:2009532; rev:5;) #by Anonymous Submitter #2 # @@ -16029,7 +16029,7 @@ #by evilghost # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?controller="; http_uri; content:"&abbr="; http_uri; content:"&setupType="; http_uri; content:"&ttl="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010241; classtype:trojan-activity; sid:2010241; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV check-in GET"; flow:established,to_server; content:"GET"; http_method; content:"/Reports/install-report.php"; http_uri; content:"abbr="; http_uri; content:"TALWinInetHTTPClient"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010241; classtype:trojan-activity; sid:2010241; rev:6;) #by evilghost # @@ -16107,7 +16107,7 @@ #by Jaime Blasco # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot/Zeus C&C Access"; flow:to_server,established; content:"in.php?m=home"; http_uri; reference:url,doc.emergingthreats.net/2009175; classtype:trojan-activity; sid:2009175; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zbot/Zeus C&C Access"; flow:to_server,established; content:"in.php?m=home"; http_uri; reference:url,doc.emergingthreats.net/2009175; classtype:trojan-activity; sid:2009175; rev:5;) #by Paul Dokas # @@ -18128,7 +18128,7 @@ #by Blake Hartstein at Demarc # -alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; fast_pattern:only; nocase; pcre:"/^Accept-Language\:[^\n]?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; reference:url,doc.emergingthreats.net/2002865; classtype:attempted-user; sid:2002865; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 8300 (msg:"ET WEB_SERVER Novell GroupWise Messenger Accept Language Buffer Overflow"; flow:established,to_server; content:"Accept-Language"; fast_pattern:only; nocase; pcre:"/^Accept-Language\:[^\n]?[^,\;\n]{17}/mi"; reference:cve,2006-0992; reference:bugtraq,17503; reference:url,doc.emergingthreats.net/2002865; classtype:attempted-user; sid:2002865; rev:7;) #by Michael Scheidell # @@ -18183,7 +18183,7 @@ #From Erik Fichtner # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"cmd="; http_uri; fast_pattern; nocase; http_uri; pcre:"/cmd=[^\x28](cd\|\;\|echo\|cat\|perl\|curl\|wget\|id\|uname\|t?ftp)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2010920; classtype:web-application-attack; sid:2010920; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Exploit Suspected PHP Injection Attack (cmd=)"; flow:to_server,established; content:"GET"; nocase; http_method; content:".php?"; nocase; http_uri; content:"cmd="; http_uri; fast_pattern; nocase; pcre:"/cmd=[^\x28](cd\|\;\|echo\|cat\|perl\|curl\|wget\|id\|uname\|t?ftp)/Ui"; reference:cve,2002-0953; reference:url,doc.emergingthreats.net/2010920; classtype:web-application-attack; sid:2010920; rev:8;) #From Joe Stewart, LURHQ # @@ -18320,7 +18320,7 @@ #by kevin ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"VERSION"; nocase; http_uri; pcre:"/SELECT.+VERSION/Ui"; reference:url,msupport.microsoft.com/kb/321185; reference:url,doc.emergingthreats.net/2011037; classtype:web-application-attack; sid:2011037; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; content:"SELECT"; nocase; http_uri; content:"VERSION"; nocase; http_uri; distance:1; reference:url,support.microsoft.com/kb/321185; reference:url,doc.emergingthreats.net/2011037; classtype:web-application-attack; sid:2011037; rev:5;) #by kevin ross # @@ -18368,7 +18368,7 @@ #by kevin ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept"; flow:established,to_server; content:"OPTIONS\|20\|"; depth:8; nocase; isdataat:400,relative; content:!"\|0A\|"; within:400; reference:url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt; reference:cve,2010-0361; reference:url,doc.emergingthreats.net/2011016; classtype:web-application-attack; sid:2011016; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept"; flow:established,to_server; content:"OPTIONS\|20\|"; depth:8; nocase; isdataat:400,relative; content:!"\|0A\|"; within:400; reference:url,www.packetstormsecurity.com/1004-exploits/sunjavasystem-exec.txt; reference:cve,2010-0361; reference:url,doc.emergingthreats.net/2011016; classtype:web-application-attack; sid:2011016; rev:3;) #bu mex # @@ -18943,55 +18943,55 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id SELECT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; distance:1; http_uri; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004529; classtype:web-application-attack; sid:2004529; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UNION SELECT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; pcre:"/UNION\s+?SELECT/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004530; classtype:web-application-attack; sid:2004530; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id INSERT"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004531; classtype:web-application-attack; sid:2004531; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; classtype:web-application-attack; sid:2004532; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id DELETE"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004532; classtype:web-application-attack; sid:2004532; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; classtype:web-application-attack; sid:2004533; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id ASCII"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004533; classtype:web-application-attack; sid:2004533; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; classtype:web-application-attack; sid:2004534; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Auction SQL Injection Attempt -- subcat.php cate_id UPDATE"; flow:established,to_server; content:"/subcat.php?"; nocase; http_uri; content:"cate_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1298; reference:url,www.milw0rm.com/exploits/3408; reference:url,doc.emergingthreats.net/2004534; classtype:web-application-attack; sid:2004534; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; classtype:web-application-attack; sid:2004535; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id SELECT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004535; classtype:web-application-attack; sid:2004535; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; classtype:web-application-attack; sid:2004536; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UNION SELECT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; pcre:"/UNION\s+?SELECT/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004536; classtype:web-application-attack; sid:2004536; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; classtype:web-application-attack; sid:2004537; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id INSERT"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004537; classtype:web-application-attack; sid:2004537; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; classtype:web-application-attack; sid:2004538; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id DELETE"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004538; classtype:web-application-attack; sid:2004538; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; classtype:web-application-attack; sid:2004539; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id ASCII"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"ASCII("; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004539; classtype:web-application-attack; sid:2004539; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; classtype:web-application-attack; sid:2004540; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJDating SQL Injection Attempt -- view_profile.php user_id UPDATE"; flow:established,to_server; content:"/view_profile.php?"; nocase; http_uri; content:"user_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1297; reference:url,www.milw0rm.com/exploits/3409; reference:url,doc.emergingthreats.net/2004540; classtype:web-application-attack; sid:2004540; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; classtype:web-application-attack; sid:2004541; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AJ Classifieds SQL Injection Attempt -- postingdetails.php postingid SELECT"; flow:established,to_server; content:"/postingdetails.php?"; nocase; http_uri; content:"postingid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; distance:1; reference:cve,CVE-2007-1296; reference:url,www.milw0rm.com/exploits/3410; reference:url,doc.emergingthreats.net/2004541; classtype:web-application-attack; sid:2004541; rev:7;) #by tinytwitty # @@ -22003,11 +22003,11 @@ #by Kevin Ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/(modname=meta_certificate\|modname=certificate\|modname=link).+UPTDATE.+SET/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010077; classtype:web-application-attack; sid:2010077; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo INSERT INTO Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; distance:0; nocase; http_uri; pcre:"/modname=(?:(?:meta_)?certificate\|link).+?\bINSERT\b.?INTO\b/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010077; classtype:web-application-attack; sid:2010077; rev:4;) #by Kevin Ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/(modname=meta_certificate\|modname=certificate\|modname=link).+INSERT.+INTO/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010078; classtype:web-application-attack; sid:2010078; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Docebo UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"/docebo/docebo"; nocase; http_uri; content:"/index.php?modname="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; distance:0; content:"SET"; distance:0; nocase; http_uri; pcre:"/modname=(?:(?:meta_)?certificate\|link).+?\bUPDATE\b.?SET\b/Ui"; reference:url,www.securityfocus.com/bid/36654/info; reference:url,www.securityfocus.com/archive/1/507072; reference:url,doc.emergingthreats.net/2010078; classtype:web-application-attack; sid:2010078; rev:4;) #by stillsecure # @@ -25034,27 +25034,27 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005366; classtype:web-application-attack; sid:2005366; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005366; classtype:web-application-attack; sid:2005366; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005367; classtype:web-application-attack; sid:2005367; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UNION SELECT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005367; classtype:web-application-attack; sid:2005367; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005368; classtype:web-application-attack; sid:2005368; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass INSERT"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005368; classtype:web-application-attack; sid:2005368; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005369; classtype:web-application-attack; sid:2005369; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass DELETE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005369; classtype:web-application-attack; sid:2005369; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005370; classtype:web-application-attack; sid:2005370; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass ASCII"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005370; classtype:web-application-attack; sid:2005370; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005371; classtype:web-application-attack; sid:2005371; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Just For Fun Network Management System (JFFNMS) SQL Injection Attempt -- auth.php pass UPDATE"; flow:established,to_server; content:"/auth.php?"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-3190; reference:url,www.secunia.com/advisories/25587; reference:url,doc.emergingthreats.net/2005371; classtype:web-application-attack; sid:2005371; rev:7;) #by tinytwitty # @@ -25238,7 +25238,7 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004146; classtype:web-application-attack; sid:2004146; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php SELECT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004146; classtype:web-application-attack; sid:2004146; rev:7;) #by tinytwitty # @@ -25246,19 +25246,19 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004148; classtype:web-application-attack; sid:2004148; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php INSERT"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004148; classtype:web-application-attack; sid:2004148; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004149; classtype:web-application-attack; sid:2004149; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php DELETE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"DELETE"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004149; classtype:web-application-attack; sid:2004149; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004150; classtype:web-application-attack; sid:2004150; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php ASCII"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004150; classtype:web-application-attack; sid:2004150; rev:7;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004151; classtype:web-application-attack; sid:2004151; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Jelsoft vBulletin SQL Injection Attempt -- attachment.php UPDATE"; flow:established,to_server; content:"/admincp/attachment.php?"; nocase; http_uri; content:"UPDATE"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1573; reference:url,www.secunia.com/advisories/24503; reference:url,doc.emergingthreats.net/2004151; classtype:web-application-attack; sid:2004151; rev:7;) #by tinytwitty # @@ -25518,7 +25518,7 @@ #by Stillsecure # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET"; http_method; pcre:"/(listen.php\|download.php)/Ui"; content:"?src="; nocase; http_uri; pcre:"/(\.\.\/){1,}/"; reference:url,www.exploit-db.com/exploits/6669/; reference:url,doc.emergingthreats.net/2008651; classtype:web-application-attack; sid:2008651; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS JMweb MP3 src Multiple Local File Inclusion"; flow:established,to_server; content:"GET"; http_method; pcre:"/(listen.php\|download.php)/Ui"; content:"?src="; nocase; http_uri; pcre:"/(\.\.\/){1}/"; reference:url,www.exploit-db.com/exploits/6669/; reference:url,doc.emergingthreats.net/2008651; classtype:web-application-attack; sid:2008651; rev:7;) #by stillsecure # @@ -25898,7 +25898,7 @@ #by stillsecure # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_pro_desk"; nocase; http_uri; content:"include_file="; nocase; http_uri; pcre:"/(\.\.\/){1,}/U"; reference:url,secunia.com/advisories/32523/; reference:url,www.exploit-db.com/exploits/6980/; reference:url,doc.emergingthreats.net/2008822; classtype:web-application-attack; sid:2008822; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Pro Desk Component include_file Local File Inclusion"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_pro_desk"; nocase; http_uri; content:"include_file="; nocase; http_uri; pcre:"/(\.\.\/){1}/U"; reference:url,secunia.com/advisories/32523/; reference:url,www.exploit-db.com/exploits/6980/; reference:url,doc.emergingthreats.net/2008822; classtype:web-application-attack; sid:2008822; rev:6;) #by stillsecure # @@ -28722,27 +28722,27 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004730; classtype:web-application-attack; sid:2004730; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004730; classtype:web-application-attack; sid:2004730; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004731; classtype:web-application-attack; sid:2004731; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UNION SELECT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004731; classtype:web-application-attack; sid:2004731; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004732; classtype:web-application-attack; sid:2004732; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php INSERT"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004732; classtype:web-application-attack; sid:2004732; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004733; classtype:web-application-attack; sid:2004733; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php DELETE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004733; classtype:web-application-attack; sid:2004733; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004734; classtype:web-application-attack; sid:2004734; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php ASCII"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004734; classtype:web-application-attack; sid:2004734; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004735; classtype:web-application-attack; sid:2004735; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED NukeSentinel SQL Injection Attempt -- nukesentinel.php UPDATE"; flow:established,to_server; uricontent:"/nukesentinel.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-1172; reference:url,www.milw0rm.com/exploits/3338; reference:url,doc.emergingthreats.net/2004735; classtype:web-application-attack; sid:2004735; rev:6;) #by tinytwitty # @@ -30300,7 +30300,7 @@ #by Stillsecure # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/passwiki.php?site_id="; nocase; pcre:"/(\.\.\/){1,}/U"; reference:bugtraq,29455; reference:url,doc.emergingthreats.net/2008687; classtype:web-application-attack; sid:2008687; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PassWiki site_id Parameter Local File Inclusion"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/passwiki.php?site_id="; nocase; pcre:"/(\.\.\/){1}/U"; reference:bugtraq,29455; reference:url,doc.emergingthreats.net/2008687; classtype:web-application-attack; sid:2008687; rev:6;) #by tinytwitty # @@ -31734,7 +31734,7 @@ #by Stillsecure # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"main.php?action=download"; nocase; uricontent:"&id="; nocase; pcre:"/(\.\.\/){1,}/"; reference:url,www.milw0rm.com/exploits/6715; reference:url,secunia.com/Advisories/32210/; reference:url,doc.emergingthreats.net/2008652; classtype:web-application-attack; sid:2008652; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure"; flow:established,to_server; content:"GET "; depth:4; uricontent:"main.php?action=download"; nocase; uricontent:"&id="; nocase; pcre:"/(\.\.\/){1}/"; reference:url,www.milw0rm.com/exploits/6715; reference:url,secunia.com/Advisories/32210/; reference:url,doc.emergingthreats.net/2008652; classtype:web-application-attack; sid:2008652; rev:4;) #by stillsecure # @@ -32922,7 +32922,7 @@ #by Russ McRee # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS trac q variable open redirect"; flow:to_server,established; uricontent:"/search?q"; nocase; pcre:"/search?q=(ht\|f)tp?\:\//iU"; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2951; reference:url,doc.emergingthreats.net/2008648; classtype:web-application-attack; sid:2008648; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS trac q variable open redirect"; flow:to_server,established; content:"/search?q"; nocase; http_uri; pcre:"/search\?q=(ht\|f)tp?\:\//iU"; reference:cve,CVE-2008-2951; reference:url,doc.emergingthreats.net/2008648; classtype:web-application-attack; sid:2008648; rev:6;) #by tinytwitty # @@ -34790,27 +34790,27 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005865; classtype:web-application-attack; sid:2005865; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005865; classtype:web-application-attack; sid:2005865; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005866; classtype:web-application-attack; sid:2005866; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UNION SELECT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UNION"; nocase; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005866; classtype:web-application-attack; sid:2005866; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005867; classtype:web-application-attack; sid:2005867; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php INSERT"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005867; classtype:web-application-attack; sid:2005867; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005868; classtype:web-application-attack; sid:2005868; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php DELETE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005868; classtype:web-application-attack; sid:2005868; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005869; classtype:web-application-attack; sid:2005869; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php ASCII"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"SELECT"; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005869; classtype:web-application-attack; sid:2005869; rev:6;) #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005870; classtype:web-application-attack; sid:2005870; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED WordPress SQL Injection Attempt -- wp-trackback.php UPDATE"; flow:established,to_server; uricontent:"/wp-trackback.php?"; nocase; uricontent:"UPDATE"; nocase; pcre:"/UPDATE.+SET/Ui"; reference:cve,CVE-2007-0107; reference:url,www.securityfocus.com/bid/21907; reference:url,doc.emergingthreats.net/2005870; classtype:web-application-attack; sid:2005870; rev:6;) #by Stillsecure # @@ -35234,7 +35234,7 @@ #by kevin ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; uricontent:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; uricontent:"commandId="; nocase; pcre:"/\x2Fzport\x2Fdmd\x2FDevices\x2Fdevices\xFlocalhost\x2Fmanage\x5FdoUserCommand.+commandId\x3D[a-z]/Ui"; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010762; classtype:web-application-attack; sid:2010762; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt"; flow:established,to_server; content:"/zport/dmd/Devices/devices/localhost/manage_doUserCommand"; nocase; http_uri; content:"commandId="; http_uri; nocase; distance:0; pcre:"/commandId\x3D[a-z]/Ui"; reference:url,www.securityfocus.com/bid/37843; reference:url,doc.emergingthreats.net/2010762; classtype:web-application-attack; sid:2010762; rev:6;) #by kevin ross # @@ -36965,7 +36965,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF Name Representation Obfuscation of /Subtype"; flow:established,to_client; file_data; content:"PDF-"; content:"/"; distance:0; content:!"Subtype"; within:7; content:"#"; within:19; pcre:"/\x2F(?!Subtype)(S\|#53)(u\|#75)(b\|#62)(t\|#74)(y\|#79)(p\|#70)(e\|#65)/"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; classtype:bad-unknown; sid:2011528; rev:6;) # -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP undefined code"; icode:>18; classtype:misc-activity; sid:100000197; rev:2;) +#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP undefined code"; icode:>18; classtype:misc-activity; sid:100000197; rev:3;) # #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:2100387; rev:8;) @@ -37094,7 +37094,7 @@ #alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:2100423; rev:6;) # -alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; reference:arachnids,449; classtype:attempted-recon; sid:2100467; rev:4;) +#alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; reference:arachnids,449; classtype:attempted-recon; sid:2100467; rev:5;) # alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ICMP_INFO PING NIX"; itype:8; content:"\|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F\|"; depth:32; classtype:misc-activity; sid:2100366; rev:8;) @@ -37514,7 +37514,7 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:2103079; rev:4;) # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; file_data; content:"clsid\|3A\|"; nocase; distance:0; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; distance:0; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2485; rev:9;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; file_data; content:"clsid\|3A\|"; nocase; distance:0; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; distance:0; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2102485; rev:12;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"\|89\|PNG\|0D 0A 1A 0A\|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:2103134; rev:4;) @@ -37538,7 +37538,7 @@ ##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp\|3A\|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102440; rev:6;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition\|3A\|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n](\x2e\x2e\|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:2103192; rev:3;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition\|3A\|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n](\x2e\x2e\|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:2103192; rev:4;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT XMLHttpRequest attempt"; flow:to_client,established; content:"new XMLHttpRequest\|28\|"; content:"file\|3A\|//"; nocase; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:2101735; rev:8;) @@ -37658,7 +37658,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER perl post attempt"; flow:to_server,established; content:"POST"; http_method; content:"/perl/"; http_uri; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:2101979; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2102654; rev:4;) # ##alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"GPL DELETED Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:2103063; rev:4;) @@ -37679,7 +37679,7 @@ ##alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD overflow attempt"; flow:established,to_server; content:"FOLD"; nocase; isdataat:256,relative; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; reference:nessus,10130; classtype:attempted-admin; sid:2101934; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2102409; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:2101635; rev:14;) @@ -37715,7 +37715,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:2101937; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2666; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s+[^\n]?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102666; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:2101634; rev:15;) @@ -37736,7 +37736,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+[^\n]?%/smi"; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2102250; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:2101866; rev:12;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; reference:bugtraq,11256; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:2101866; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:2101938; rev:5;) @@ -37754,19 +37754,19 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102014; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F7\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F7\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2101262; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 03\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 03\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2101263; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BA\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:1264; rev:13;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BA\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2101264; rev:14;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 8B\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101747; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 E4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 E4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2101265; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|u"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17;) @@ -37784,13 +37784,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 03 0D\|p"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2102036; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 CC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 CC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2101267; rev:12;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102080; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 02\|I\|F1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 02\|I\|F1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2101268; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 05\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101922; rev:7;) @@ -37799,25 +37799,25 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"\|00 01 86 A0 00\|"; depth:5; offset:16; content:"\|00 00 00 05\|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102093; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2101269; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|h"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102082; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2101270; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A2\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:14;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A2\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2101271; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2101733; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 88\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 88\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2101272; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AF\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AF\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2101273; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 99\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19;) @@ -37829,10 +37829,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A9\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A9\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2101275; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2101276; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11;) @@ -37958,7 +37958,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS NT NULL session"; flow:to_server,established; content:"\|00 00 00 00\|W\|00\|i\|00\|n\|00\|d\|00\|o\|00\|w\|00\|s\|00\| \|00\|N\|00\|T\|00\| \|00\|1\|00\|3\|00\|8\|00\|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:2100530; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:2101239; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ADMIN$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN\|24 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2980; rev:3;) @@ -38222,7 +38222,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A0\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"\|00 00 00 00\|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103027; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A0\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"\|00 00 00 00\|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"\|00 00\|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103043; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A0\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"\|00 00 00 00\|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"\|00 00\|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103043; rev:8;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A0\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; content:!"\|00 00 00 00\|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"\|00 00\|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103051; rev:6;) @@ -38495,7 +38495,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; depth:5; offset:4; content:"\|5C 00\|S\|00\|t\|00\|a\|00\|r\|00\|t\|00\| \|00\|M\|00\|e\|00\|n\|00\|u\|00 5C 00\|P\|00\|r\|00\|o\|00\|g\|00\|r\|00\|a\|00\|m\|00\|s\|00 5C 00\|S\|00\|t\|00\|a\|00\|r\|00\|t\|00\|u\|00\|p"; distance:0; nocase; classtype:attempted-recon; sid:2102177; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"\|FF\|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f).{28}(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f)/"; byte_jump:2,39,little; content:!"\|FF\|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"\|FF\|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f).{28}(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f)/"; byte_jump:2,39,little; content:!"\|FF\|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; depth:5; offset:4; content:"\|00 14\|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:10;) @@ -38684,7 +38684,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101420; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"GPL VOIP Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"\|08\|"; depth:1; byte_test:1,>,4,1; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; classtype:attempted-dos; sid:100000892; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"GPL VOIP Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"\|08\|"; depth:1; byte_test:1,>,4,1; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; classtype:attempted-dos; sid:100000892; rev:2;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"GPL POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"\|00 01\|"; depth:2; offset:2; content:"\|00 01\|"; depth:2; offset:8; classtype:attempted-admin; sid:2102044; rev:6;) @@ -38939,7 +38939,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:17;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:16;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt with brace"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:17;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; fast_pattern:only; pcre:"/^PASS\s\n/smi"; reference:arachnids,322; classtype:unknown; sid:2100489; rev:9;) @@ -40166,7 +40166,7 @@ #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1\|0A\|Content-type\|3A\| text/xml\|0A\|HOST\|3A\|"; fast_pattern:32,4; content:"Accept\|3A\| /\|0A\|Translate\|3A\| f\|0A\|Content-length\|3A\|5276\|0A 0A\|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1\|0D 0A\|Host\|3A\|"; content:"\|0D 0A 0D 0A\|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:10;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1\|0D 0A\|Host\|3A\|"; content:"\|0D 0A 0D 0A\|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:11;) # ##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:2101002; rev:9;) @@ -40349,10 +40349,10 @@ ##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 901 (msg:"GPL DELETED Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization\|3A\| Basic"; nocase; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102598; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH\|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP SMTP Hydra Activity Detected"; flow:to_server,established; content:"hydra"; nocase; pcre:"/^(EH\|HE)LO\s+hydra\x0D\x0A/smi"; reference:url,www.thc.org/releases.php; classtype:misc-attack; sid:100000167; rev:1;) # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; content:!"\|0a\|"; within:255; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2102259; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; content:!"\|0a\|"; within:255; pcre:"/^EXPN[^\n]{255}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2102259; rev:9;) # #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"\|0A\|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2102590; rev:5;) @@ -40484,7 +40484,7 @@ alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102726; rev:2;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:3;) @@ -40991,7 +40991,7 @@ #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102872; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;) +##alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:2;) # #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102874; rev:3;) @@ -41618,7 +41618,7 @@ alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login\|3A\| root"; fast_pattern:only; classtype:suspicious-login; sid:2100719; rev:9;) # -alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Linksys apply.cgi overflow attempt"; flow:to_server,established; content:"/apply.cgi"; http_uri; fast_pattern:only; content:"Content-Length\|3A\|"; isdataat:1000,relative; pcre:"/Content-Length\x3A\s[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:4;) +alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Linksys apply.cgi overflow attempt"; flow:to_server,established; content:"/apply.cgi"; http_uri; fast_pattern:only; content:"Content-Length\|3A\|"; isdataat:1000,relative; content:!"\|0a\|"; within:1000; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:5;) # #alert tcp any any <> any 179 (msg:"GPL MISC BGP invalid length"; flow:stateless; content:"\|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF\|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2102158; rev:9;) @@ -41756,7 +41756,7 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+\|06 10\|@\|14 D1 02 19\|"; fast_pattern:only; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP missing community string attempt"; content:"\|04 00\|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2101893; rev:5;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP missing community string attempt"; content:"\|04 00\|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2101893; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP null community string attempt"; content:"\|04 01 00\|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:2101892; rev:7;) @@ -42062,13 +42062,13 @@ #alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY route1.com SSL certificate for remote access detected"; flow:established,to_client; content:"Route1 Security Corporation"; nocase; classtype:bad-unknown; sid:2011579; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; content:" Java/1.4."; http_header; flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011584; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; content:" Java/1.4."; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011584; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011581; rev:9;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"37"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:23;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"71"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:31;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/catalogo.php?"; nocase; uricontent:"id_livello="; nocase; pcre:"/id_livello\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13028; classtype:web-application-attack; sid:2011571; rev:1;) @@ -42137,7 +42137,7 @@ ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; classtype:bad-unknown; sid:2011546; rev:2;) #by lord chodelmort -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JAR Download From Crimepack Exploit Kit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:trojan-activity; sid:2011544; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN JAR Download From Crimepack Exploit Kit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"cpak/Crimepack"; nocase; reference:url,doc.emergingthreats.net/2011544; reference:url,krebsonsecurity.com/tag/crimepack/; reference:url,www.offensivecomputing.net/?q=node/1572; classtype:trojan-activity; sid:2011544; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Shockwave Director tSAC Chunk memory corruption Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"\|74 53 41 43 1D 02 00 00 00 00 00 0F 00 00 00 AE 00 00 01 63 00 00 00 14 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 14 00 00 01 00 FF FF 11 11 00 00\|"; fast_pattern:only; reference:url,exploit-db.com/download_pdf/15077; classtype:attempted-user; sid:2011543; rev:5;) @@ -42323,10 +42323,10 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY phoenix exploit kit landing page"; flow:established,to_client; content:"dev.s.AdgredY"; content:"tmp/des.jar"; content:".php?deserialize"; classtype:bad-unknown; sid:2011369; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot infected host POSTing process list"; flow:established,to_server; content:"POST"; http_method; nocase; content:"[System Process]\|0a\|"; http_client_body; depth:17; classtype:trojan-activity; sid:2011364; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host POSTing process list"; flow:established,to_server; content:"POST"; http_method; nocase; content:"[System Process]\|0a\|"; http_client_body; depth:17; classtype:trojan-activity; sid:2011364; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot infected host checkin"; flow:established,to_server; content:"/search"; http_uri; depth:7; content:"?fr=altavista&itag="; depth:28; http_uri; content:"&kls="; http_uri; content:!"User-Agent\|3a\|"; http_header; classtype:trojan-activity; sid:2011365; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sinowal/sinonet/mebroot/Torpig infected host checkin"; flow:established,to_server; content:"/search"; http_uri; depth:7; content:"?fr=altavista&itag="; depth:28; http_uri; content:"&kls="; http_uri; content:!"User-Agent\|3a\|"; http_header; classtype:trojan-activity; sid:2011365; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV SetupSecure Download Attempt SetupSecure"; flow:established,to_server; content:"/download/SetupSecure_"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=virus-scanner-6.com; classtype:trojan-activity; sid:2011357; rev:2;) @@ -42335,10 +42335,10 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape %u Shellcode/Heap Spray"; flow:established,to_client; content:"unescape"; nocase; content:"%u"; nocase; distance:0; content:"%u"; nocase; within:6; pcre:"/unescape.+\x25u[0-9,a-f]{2,4}\x25u[0-9,a-f]{2,4}/smi"; reference:url,www.w3schools.com/jsref/jsref_unescape.asp; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; reference:url,malzilla.sourceforge.net/tutorial01/index.html; reference:url,doc.emergingthreats.net/2011346; classtype:shellcode-detect; sid:2011346; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY request for hide-my-ip.com autoupdate"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/auto_update/HideMyIP/update.dat"; http_uri; nocase; classtype:policy-violation; sid:2011311; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS request for hide-my-ip.com autoupdate"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/auto_update/HideMyIP/update.dat"; http_uri; nocase; classtype:policy-violation; sid:2011311; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host\|3A\|"; nocase; content:"hide\|2d\|my\|2d\|ip\|2e\|com"; nocase; within:20; content:"cmd\|3d\|"; nocase; content:"ver\|3d\|"; nocase; content:"hcode\|3d\|"; nocase; content:"product\|3d\|"; nocase; content:"year\|3d\|"; nocase; content:"xhcode\|3d\|"; nocase; classtype:policy-violation; sid:2011312; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS hide-my-ip.com POST version check"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Host\|3A\|"; nocase; content:"hide\|2d\|my\|2d\|ip\|2e\|com"; nocase; within:20; content:"cmd\|3d\|"; nocase; content:"ver\|3d\|"; nocase; content:"hcode\|3d\|"; nocase; content:"product\|3d\|"; nocase; content:"year\|3d\|"; nocase; content:"xhcode\|3d\|"; nocase; classtype:policy-violation; sid:2011312; rev:3;) # ##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY bredolab - hidden div served by nginx"; flow:established,to_client; content:"\|0d 0a\|Server\|3a\| nginx"; content:"<div style=\"visibility\|3a\| hidden\|3b\|\"><"; depth:120; classtype:bad-unknown; sid:2011307; rev:2;) @@ -42464,10 +42464,10 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt"; flow:established,to_client; content:"String.FromCharCode("; fast_pattern:only; nocase; pcre:"/String\x2EFromCharCode\x28[0-9]{1,3}/i"; reference:url,www.w3schools.com/jsref/jsref_fromCharCode.asp; reference:url,www.roseindia.net/javascript/method-fromcharcode.shtml; reference:url,isc.sans.org/diary.html?storyid=7906; reference:url,isc.sans.org/diary.html?storyid=7903; classtype:bad-unknown; sid:2011347; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"\|25 32 36\|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011348; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"\|25 32 36\|np"; http_client_body; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011348; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"\|25 32 36\|j"; distance:32; within:4; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"\|25 32 36\|j"; http_client_body; distance:32; within:4; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java and PDF exploits"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"\|25 32 36\|jp"; http_client_body; distance:5; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011350; rev:3;) @@ -42485,16 +42485,16 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby bredolab hidden div served by nginx"; flow:established,to_client; content:"Server\|3a\| nginx"; http_header; file_data; content:"<div style=\|22\|visibility\|3a\| hidden\|3b 22\|><"; within:120; classtype:bad-unknown; sid:2011355; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/wizards/common/_logintowizard.cfm"; http_uri; content:"locale=%00../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011358; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/wizards/common/_logintowizard.cfm"; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011358; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/archives/index.cfm"; nocase; http_uri; content:"locale=%00../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011359; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/archives/index.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011359; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/entman/index.cfm"; nocase; http_uri; content:"locale=%00../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011360; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/entman/index.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011360; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/enter.cfm"; nocase; http_uri; content:"locale=%00../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011362; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/CFIDE/administrator/enter.cfm"; nocase; http_uri; content:"locale=../../"; nocase; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; reference:url,www.exploit-db.com/exploits/14641/; classtype:web-application-attack; sid:2011362; rev:3;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Apple Quicktime Invalid SMIL URI Buffer Overflow Attempt"; flow:established,to_client; content:"\|3C\|smil"; nocase; content:"\|3C\|img src="; nocase; distance:0; content:!"http"; nocase; within:20; content:"\|3A\|//"; within:20; isdataat:700,relative; content:!"\|3C 2F\|smil\|3E\|"; nocase; within:700; content:!"\|0A\|"; within:700; reference:url,securitytracker.com/alerts/2010/Aug/1024336.html; reference:bugtraq,41962; reference:cve,2010-1799; classtype:attempted-user; sid:2011366; rev:2;) @@ -42563,7 +42563,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Trojan FakeAV Downloader"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&n="; http_uri; classtype:trojan-activity; sid:2011416; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<?php"; nocase; fast_pattern; content:"?>"; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"<?php"; nocase; fast_pattern:only; http_client_body; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:4;) # ##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED MALVERTISING Hidden iframe Redirecting to SEO Driveby Site"; flow:established,to_client; content:"width=\"1\" height=\"1\" marginwidth=\"0\" marginheight=\"0\" frameborder=\"0\" scrolling=\"no\" allowtransparency=\"true\"></iframe>"; fast_pattern:only; classtype:bad-unknown; sid:2011417; rev:3;) @@ -42617,7 +42617,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS 4images global.php db_servertype Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/global.php?"; nocase; uricontent:"db_servertype="; nocase; pcre:"/db_servertype=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,exploit-db.com/exploits/14712/; classtype:web-application-attack; sid:2011454; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; content:"PROPFIND"; http_method; nocase; flowbits:set,ET_PROPFIND; flowbits:noalert; classtype:misc-activity; sid:2011456; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; content:"PROPFIND "; fast_pattern:only; content:"PROPFIND"; http_method; nocase; flowbits:set,ET_PROPFIND; flowbits:noalert; classtype:misc-activity; sid:2011456; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share, Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET_PROPFIND; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:3;) @@ -42686,7 +42686,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz/Rohimafo Checkin"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010791; classtype:trojan-activity; sid:2011791; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz/Rohimafo Proxy Registration"; flow:established,to_server; content:"/socks.php?name="; nocase; http_uri; content:"&port="; nocase; http_uri; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011792; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Shiz/Rohimafo Proxy Registration"; flow:established,to_server; content:"/socks.php?name="; nocase; http_uri; content:"&port="; nocase; http_uri; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011792; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz/Rohimafo Binary Download Request"; flow:established,to_server; content:".php?id="; nocase; http_uri; content:"&magic="; http_uri; nocase; fast_pattern; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2010-041308-3301-99&tabid=2; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; reference:url,doc.emergingthreats.net/2010793; classtype:trojan-activity; sid:2011769; rev:5;) @@ -42707,7 +42707,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shiz or Rohimafo Reporting Listening Socket to CnC Server"; flow:established,to_server; content:"/socks.php?"; nocase; http_uri; content:"name="; nocase; http_uri; content:"&port="; http_uri; nocase; pcre:"/port=[1-9]{1,5}/Ui"; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011523; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Knok.php Shiz or Rohimafo Host Information Submission to CnC Server"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/knok.php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011524; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Knok.php Shiz or Rohimafo Host Information Submission to CnC Server"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/knok.php?id="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&up="; nocase; http_uri; content:"&os="; nocase; http_uri; reference:url,asert.arbornetworks.com/2010/09/shiz-and-rohimafo-malware-cousins/; reference:url,threatexpert.com/report.aspx?md5=3614d4f6527d512b61c27c4e213347a6; reference:url,threatexpert.com/report.aspx?md5=0bb4662b54f02c989edc520314fc20ea; reference:url,threatexpert.com/report.aspx?md5=a671eb9979505119f4106a990c4ef7ab; classtype:trojan-activity; sid:2011524; rev:2;) # #alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo Cert Exchange"; flow:established,to_client; ssl_version:sslv2,sslv3,tls1.0,tls1.1,tls1.2; content:"\|16\|"; content:"\|0b\|"; within:8; content:"\|00 a6 ed b9 1e 40 75 6f 88 0a 30 85 7b 68 b1 8d 48 89 27 33 36 20 ac 1e e8 d6 44 31 78 37 f7 e1 d0 d5 44 cf 4e 67 cb 64 ba 6c fa b6 5f a2 51 c3 5e e4 4a 31 76 c6 15 d4 85 d2 75 d8 ce 8b 4f 0b 38 bb 19 ab b0 10 94 d9 ca bd bb 65 98 c0 d4 2e 9a a4 64 90 f4 6c ee c0 db d9 e2 b0 97 ca cb 55 11 a8 00 4b c3 90 e0 7d c3 e1 d5 92 d7 b6 60 df 52 02 6f 9a 38 13 9a f4 cf 4f 68 fd 4c f8 ea ed 15\|"; classtype:not-suspicious; sid:2011525; rev:2;) @@ -42725,7 +42725,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer CSS Cross-Origin Theft Attempt"; flow:established,to_client; content:"document.body.currentStyle.fontFamily"; nocase; content:".indexOf(\|22\|authenticity_token"; nocase; distance:0; reference:url,www.theregister.co.uk/2010/09/06/mystery_ie_bug/; reference:url,www.darknet.org.uk/2010/09/microsoft-investigate-ie-css-cross-origin-theft-vulnerability/; reference:url,seclists.org/fulldisclosure/2010/Sep/64; classtype:bad-unknown; sid:2011472; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Checkin"; flow:established,to_server; content:"getfile.php?r="; http_uri; content:"&p="; http_uri; pcre:"/php\?r=\d+&p=/U"; classtype:trojan-activity; sid:2011474; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:established,to_server; content:"getfile.php?r="; http_uri; content:"&p="; http_uri; pcre:"/php\?r=\d+&p=/U"; classtype:trojan-activity; sid:2011474; rev:2;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FAKEAV scanner page enocuntered - .hdd_icon"; flow:established,to_client; content:".hdd_icon"; nocase; classtype:bad-unknown; sid:2011475; rev:2;) @@ -42740,7 +42740,7 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer\|3a\| "; nocase; http_header; content:"User-Agent\|3a\| "; nocase; http_header; pcre:"/\.(php\|asp\|py\|exe\|htm\|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot Request to CnC"; flow:established,to_server; content:"GET / HTTP/1.1\|0d 0a\|Accept\|3a\| /\|0d 0a\|Connection\|3a\| Close\|0d 0a\|User-Agent\|3a\| "; depth:60; content:"\|0d 0a\|Host\|3a\| "; distance:0; http_header; content:!"\|0d 0a\|Referer\|3a\| "; http_header; nocase; content:"\|3a\| no-cache"; http_header; content:!"/webhp"; http_uri; depth:6; content:!"Host\|3a\| login.live.com\|0d 0a\|"; http_header; content:!"www.bing.com"; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:17;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot Request to CnC"; flow:established,to_server; content:"GET / HTTP/1.1\|0d 0a\|Accept\|3a\| /\|0d 0a\|Connection\|3a\| Close\|0d 0a\|User-Agent\|3a\| "; depth:60; content:"\|0d 0a\|Host\|3a\| "; distance:0; content:!"\|0d 0a\|Referer\|3a\| "; http_header; nocase; content:"\|3a\| no-cache"; http_header; content:!"/webhp"; http_uri; depth:6; content:!"Host\|3a\| login.live.com\|0d 0a\|"; http_header; content:!"www.bing.com"; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:18;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; file_data; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/<OBJECT\s+[^>]classid\s=\s[\x22\x27]?\sclsid\s\x3a\s\x7B?\s24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:5;) @@ -42914,7 +42914,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jomestate Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/real_estate/index.php?"; nocase; http_uri; content:"option=com_jomestate"; nocase; http_uri; content:"task="; nocase; http_uri; pcre:"/task=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,inj3ct0r.com/exploits/12835; classtype:web-application-attack; sid:2011847; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Comotor.A!dll Reporting 1"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/upd/check.php?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"cver="; nocase; http_uri; content:"id="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011848; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Comotor.A!dll Reporting 1"; flow:to_server,established; content:".php?ver="; http_uri; content:"&cver="; fast_pattern:only; http_uri; content:"&id="; http_uri; content:!"User-Agent\|3a\| "; http_header; pcre:"/\.php\?ver=\d\&cver=\d\&id=\d{5}$/U"; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011848; rev:4;) #by dave richards alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Comotor.A!dll Reporting 2"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/cy/dl.php"; nocase; http_uri; content:"id="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=5e1c680e70e423dd02e31ab9d689e40b; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FComotor.A!dll&ThreatID=-2147346593; classtype:trojan-activity; sid:2011849; rev:3;) @@ -42941,7 +42941,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de1adb1df396863e7e3967271e7db734; classtype:trojan-activity; sid:2011856; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye C&C Check-in URI"; flow:established,to_server; content:"guid="; http_uri; content:"ver="; http_uri; content:"stat="; http_uri; fast_pattern:only; content:"ie="; http_uri; content:"os="; http_uri; pcre:"/(\?\|&)guid=.?!.?!.?&/U"; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; classtype:trojan-activity; sid:2011857; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye C&C Check-in URI"; flow:established,to_server; content:"guid="; http_uri; content:"ver="; http_uri; content:"stat="; http_uri; fast_pattern; content:"ie="; http_uri; content:"os="; http_uri; pcre:"/(\?\|&)guid=[^!&]+?\!/U"; reference:url,www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot; reference:url,krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/; classtype:trojan-activity; sid:2011857; rev:6;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Hostile HTTP Header GET structure"; flow:established,to_server; content:"GET"; nocase; http_method; content:"\|20\|HTTP/1.0\|0d 0a\|User-Agent\|3a 20\|"; fast_pattern; content:".php"; nocase; http_uri; content:"\|0d 0a\|Host\|3a 20\|"; content:"\|0d 0a\|Pragma\|3a\| no-cache\|0d 0a\|"; distance:0; content:!"\|0d 0a\|Host\|3a\| update.nai.com"; distance:0; content:!"\|0d 0a\|Host\|3a 20\|toolbarqueries.google."; http_header; content:!".ceipmsn.com\|0d 0a\|Pragma\|3a 20\|"; http_header; content:!"Host\|3a\| stats.mbamupdates.com\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2011858; rev:12;) @@ -42956,7 +42956,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Feodo Banking Trojan Account Details Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"AccountSummary"; nocase; fast_pattern; content:"userid\|3A\|"; nocase; distance:0; content:"password\|3A\|"; nocase; distance:0; content:"screenid\|3A\|"; nocase; distance:0; content:"origination\|3A\|"; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html#more; classtype:trojan-activity; sid:2011862; rev:4;) #kevin ross -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Feodo Banking Trojan Receiving Configuration File"; flow:established,from_server; content:"ibanking-services.com"; nocase; content:"webcash"; nocase; distance:0; content:"/wires/"; nocase; content:"amazon.com"; nocase; distance:0; content:"EncryptPassword"; fast_pattern; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; classtype:trojan-activity; sid:2011863; rev:3;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Feodo Banking Trojan Receiving Configuration File"; flow:established,from_server; content:"ibanking-services.com"; nocase; content:"webcash"; nocase; distance:0; content:"/wires/"; nocase; content:"amazon.com"; nocase; distance:0; content:"EncryptPassword"; fast_pattern; nocase; distance:0; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; classtype:trojan-activity; sid:2011863; rev:4;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Oracle Java APPLET Tag Children Property Memory Corruption Attempt"; flow:established,to_client; content:"APPLET"; nocase; content:"children"; nocase; distance:0; content:"location.reload"; nocase; within:100; reference:url,code.google.com/p/skylined/issues/detail?id=18; reference:url,www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html; classtype:attempted-user; sid:2011864; rev:1;) @@ -43010,7 +43010,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpBazar picturelib.php Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/bazar/picturelib.php?"; nocase; http_uri; content:"cat="; nocase; http_uri; pcre:"/cat=\s(ftps?\|https?\|php)\x3a\//Ui"; reference:cve,CVE-2010-2315; reference:url,exploit-db.com/exploits/12855/; classtype:web-application-attack; sid:2011880; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/mw_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s(ftps?\|https?\|php)\x3\//Ui"; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011881; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics mw_plugin.php IP Parameter Remote File inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/mw_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011881; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Open Web Analytics owa_action Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"owa_action="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/11903/; classtype:web-application-attack; sid:2011882; rev:2;) @@ -43322,7 +43322,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FAKEAV Gemini systempack exe download"; flow:established,to_client; content:"Content-Disposition\|3a\| attachment\|3b\| filename=systempack"; http_header; classtype:trojan-activity; sid:2011991; rev:1;) # -#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET CURRENT_EVENTS Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:2;) +##alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3;) + +# +#alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET CURRENT_EVENTS ProFTPD Backdoor outbound Request Sent"; flow:established,to_server; content:"GET /AB"; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011993; rev:1;) # alert tcp any any -> $HOME_NET 21 (msg:"ET CURRENT_EVENTS ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)"; flow:established,to_server; content:"HELP "; depth:5; content:"ACIDBITCHEZ"; distance:0; nocase; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; classtype:trojan-activity; sid:2011994; rev:4;) @@ -43331,7 +43334,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS invoice.scr download most likely a TROJAN"; flow:established,to_server; content:"GET"; http_method; content:"\|2F\|invoice.scr"; nocase; http_uri; pcre:"/\x2Finvoice\x2Escr$/Ui"; classtype:trojan-activity; sid:2011995; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Darkness DDoS Bot Checkin"; flow:established,to_server; content:".php?uid="; nocase; http_uri; content:"&ver="; distance:0; http_uri; pcre:"/\.php\?uid=\d&ver=[^&]+(&traff=\d+)?$/U"; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:url,ef.kaffenews.com/?p=833; reference:url,www.threatexpert.com/report.aspx?md5=55edeb8742f0c38aaa3d984eb4205c68; reference:url,www.threatexpert.com/report.aspx?md5=60c84bb1ca03f80ca385f16946322440; reference:url,www.threatexpert.com/report.aspx?md5=7fcebf5bd67cede35d08bedd683e3524; reference:url,www.threatexpert.com/report.aspx?md5=778113cc4e758ed65de0123bb79cbd1f; classtype:trojan-activity; sid:2011996; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Darkness DDoS Bot Checkin"; flow:established,to_server; content:".php?uid="; nocase; http_uri; content:"&ver="; distance:0; http_uri; content:!"Accept\|3a\|"; http_header; pcre:"/\.php\?uid=\d{5,6}&ver=[^&]+(&traff=\d+)?$/U"; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101205; reference:url,ef.kaffenews.com/?p=833; reference:url,www.threatexpert.com/report.aspx?md5=55edeb8742f0c38aaa3d984eb4205c68; reference:url,www.threatexpert.com/report.aspx?md5=60c84bb1ca03f80ca385f16946322440; reference:url,www.threatexpert.com/report.aspx?md5=7fcebf5bd67cede35d08bedd683e3524; reference:url,www.threatexpert.com/report.aspx?md5=778113cc4e758ed65de0123bb79cbd1f; classtype:trojan-activity; sid:2011996; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Spy.YEK MAC and IP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"\|0d 0a\|Content-Disposition\|3A\| form-data\|3B\| name=\|22\|MAC\|22\|"; http_header; nocase; content:"\|0d 0a\|Content-Disposition\|3A\| form-data\|3B\| name=\|22\|IP\|22\|"; nocase; http_header; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20101115; classtype:trojan-activity; sid:2011999; rev:5;) @@ -43487,6 +43490,12 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Outbound Low Orbit Ion Cannon LOIC Tool Internal User May Be Participating in DDOS desu string"; flow:to_server,established; content:"desudesudesu"; nocase; fast_pattern:only; threshold: type limit,track by_src,seconds 180,count 1; reference:url,www.isc.sans.org/diary.html?storyid=10051; classtype:trojan-activity; sid:2012050; rev:3;) # +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX IconIndex Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"\|22\|IconIndex\|22\|"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s(\x22\|\x27)\sclsid\s\x3a\s{?\s4E3770F4-1937-4F05-B9A2-959BE7321909\s}?(.)\>/si"; reference:url,www.exploit-db.com/exploits/15695/; classtype:misc-attack; sid:2012052; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Winzip 15.0 WZFLDVW.OCX Text Property Denial of Service"; flow:established,to_client; content:"clsid"; nocase; content:"4E3770F4-1937-4F05-B9A2-959BE7321909"; nocase; content:"\|22\|Text\|22\|"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s(\x22\|\x27)\sclsid\s\x3a\s{?\s4E3770F4-1937-4F05-B9A2-959BE7321909\s}?(.)\>/si"; reference:url,www.exploit-db.com/exploits/15694/; classtype:misc-attack; sid:2012053; rev:1;) + +# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"\|0d 0a\|HeaderX\|3a 20\|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3;) # @@ -43505,6 +43514,9 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"\|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f\|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:1;) # +alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"\|1b 25 2d\|"; depth:3; content:"\|20 28 29 20 50 4a 4c 20\|"; distance:0; within:25; content:"FSDIRLIST\|20\|NAME="; nocase; content:"\|22\|0\|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e\|"; distance:0; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:1;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of document.write % Encoding"; flow:established,to_client; content:"%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012059; rev:1;) # @@ -43652,7 +43664,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-8 %u90 NOP SLED"; flow:established,to_client; content:"%u90%u90"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012110; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u9090"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 %u9090 NOP SLED"; flow:established,to_client; content:"%u9090%u"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012111; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Encoded %90 NOP SLED"; flow:established,to_client; content:"%90%90%90"; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2012112; rev:2;) @@ -43718,7 +43730,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 999 (msg:"ET CURRENT_EVENTS p2pshare.org Malware Related Activity"; flow:to_server,established; content:"GET "; depth:4; content:"\|0d 0a\|Host\|3A\| p2pshare.org\|3A\|999"; classtype:trojan-activity; sid:2012132; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"\|0d 0a\|Content-Length\|3a\| "; http_header; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 8.0\|3b\| Windows NT 6.1\|3b\| Trid "; http_header; content:"ent/4.0)\|0d 0a 0d 0a 01 02 01 01 01 01 02 01\|"; fast_pattern; within:20; classtype:trojan-activity; sid:2012136; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac 2.0/Storm Worm 3.0 GET request detected"; flow:established; content:"GET"; nocase; http_method; urilen:1; content:"/"; http_uri; content:"\|0d 0a\|Content-Length\|3a\| "; http_header; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 8.0\|3b\| Windows NT 6.1\|3b\| Trid "; content:"ent/4.0)\|0d 0a 0d 0a 01 02 01 01 01 01 02 01\|"; fast_pattern; within:20; classtype:trojan-activity; sid:2012136; rev:10;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Storm/Waledac 3.0 Checkin 1"; flow:established,to_server; content:"GET "; nocase; depth:4; content:".htm"; content:"Host\|3a\| "; content:"Content-Length\|3a\| "; content:".htm HTTP/1.1"; pcre:"/Host\x3a [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/"; pcre:"/Content-Length\x3a [1-9]/"; classtype:trojan-activity; sid:2012137; rev:5;) @@ -43784,6 +43796,9 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"\|FE\|"; byte_test:1,>,11,0,relative; content:"\|45 53 44 44\|"; depth:4; content:"\|04\|"; distance:2; within:1; content:"\|FE FF\|"; distance:0; within:50; content:"\|FE FF\|"; distance:0; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:2;) # +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Reader 9.4 doc.printSeps Memory Corruption Attempt"; flow:established,to_client; content:"%PDF-"; nocase; depth:300; content:"doc.printSeps"; nocase; distance:0; reference:bid,44638; reference:cve,2010-4091; classtype:attempted-user; sid:2012156; rev:1;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WBEM.SingleViewCtrl.1"; nocase; distance:0; pcre:"/WBEM\x2ESingleViewCtrl\x2E1.+(AddContextRef\|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; classtype:attempted-user; sid:2012157; rev:1;) # @@ -43862,7 +43877,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/media.php?"; http_uri; nocase; content:"DIR_LIBS="; http_uri; nocase; pcre:"/DIR_LIBS=\s(ftps?\|https?\|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:3;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent\|3A\| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:2;) +##alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent\|3A\| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/xmlrpc/server.php?"; nocase; http_uri; content:"DIR_LIBS="; nocase; http_uri; pcre:"/DIR_LIBS=\s(ftps?\|https?\|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:2;) @@ -44054,7 +44069,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MUROFET/Licat Trojan Checkin Forum"; flow:established,to_server; content:"GET"; http_method; content:!"\|0d 0a\|Referer\|3a\|"; nocase; content:"/forum/?"; http_uri; pcre:"/forum\/\?[0-9a-f]{8}$/U"; reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html; reference:url,www.threatexpert.com/report.aspx?md5=531e84b0894a7496479d186712acd7d2; classtype:trojan-activity; sid:2012248; rev:2;) # -alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent\|3a\| Win32"; http_header; classtype:trojan-activity; sid:2012249; rev:1;) +alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent\|3a\| Win32"; nocase; http_header; classtype:trojan-activity; sid:2012249; rev:2;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Unknown Web Backdoor Keep-Alive"; flow:established,to_server; content:"POST /bbs/info.asp "; depth:19; dsize:<170; classtype:trojan-activity; sid:2012250; rev:1;) @@ -44132,10 +44147,16 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of eval %u UTF-16 Encoding"; flow:established,to_client; content:"%u6576%u616c"; nocase; fast_pattern:only; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012274; rev:1;) # +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Inbound SPAM (possible Spyeye)"; flow:established,to_server; content:"Content-Disposition\|3A\|attachment\|3b\|"; nocase; content:"filename=\|22\|Post_Express_Label_"; nocase; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012275; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS USPS Inbound SPAM"; flow:established,to_server; content:"Content-Disposition\|3A\| attachment\|3b\|"; nocase; content:"filename=\|22\|USPS_Document.zip"; nocase; classtype:trojan-activity; sid:2012276; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (Our_Agent)"; flow:established,to_server; content:" Our_Agent"; http_header; classtype:trojan-activity; sid:2012278; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye HTTP Library leaking information to C&C"; flow:established,to_server; content:"POST"; http_method; content:"form-data\|3b 20\|name=\|22\|sid\|22\|"; http_client_body; content:"form-data\|3b 20\|name=\|22\|ping\|22\|"; http_client_body; content:"form-data\|3b 20\|name=\|22\|guid\|22\|"; http_client_body; content:"form-data\|3b 20\|name=\|22\|GB\|22 3b 20\|filename=\|22\|GB.TXT\|22\|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye HTTP Library Checkin"; flow:established,to_server; content:"POST"; http_method; content:"form-data\|3b 20\|name=\|22\|sid\|22\|"; http_client_body; content:"form-data\|3b 20\|name=\|22\|ping\|22\|"; http_client_body; content:"form-data\|3b 20\|name=\|22\|guid\|22\|"; http_client_body; content:"form-data\|3b 20\|name=\|22\|GB\|22 3b 20\|filename=\|22\|GB.TXT\|22\|"; http_client_body; fast_pattern; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012279; rev:2;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity to document.doc"; flow:established,to_server; content:"/forum/document.doc"; http_uri; content:"!Referer\|3a\| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012280; rev:1;) @@ -44261,7 +44282,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .rr.nu domain"; flow:established,to_server; content:".rr.nu\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2012330; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS User-Agent CMD"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 1.0\|3b\| Windows NT\|3b\| CMD"; http_header; fast_pattern:36,20; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS User-Agent CMD"; flow:established,to_server; content:" (compatible\|3b\| MSIE 1.0\|3b\| Windows NT\|3b\| "; http_header; fast_pattern:16,20; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:7;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious Advertizing URL in.cgi/antibot_hash"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"ab_iframe="; nocase; http_uri; content:"ab_badtraffic="; nocase; http_uri; content:"antibot_hash="; nocase; http_uri; content:"ur="; nocase; http_uri; content:"HTTP_REFERER="; nocase; http_uri; classtype:bad-unknown; sid:2012323; rev:2;) @@ -44456,6 +44477,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent PrivacyInfoUpdate"; flow:to_server,established; content:"\|0d 0a\|User-Agent\|3a\| PrivacyInfoUpdate"; nocase; http_header; classtype:trojan-activity; sid:2012387; rev:1;) # +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS USPS SPAM Inbound possible spyeye trojan"; flow:established,to_server; content:"Content-Disposition\|3A\| attachment\|3b\|"; nocase; content:"filename=\|22\|USPS_"; nocase; content:".zip\|22\|"; nocase; reference:url,www.virustotal.com/file-scan/report.html?id=ed1766eb13cc7f41243dd722baab9973560c999c1489763c0704debebe8f4cb1-1298551066; classtype:trojan-activity; sid:2012388; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Java Exploit Kit Success Check-in Executable Download Likely"; flow:established,to_server; content:".php?"; http_uri; content:"=javajsm"; http_uri; classtype:trojan-activity; sid:2012389; rev:2;) # @@ -44555,6 +44579,9 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhreeBooks js_include.php form Parameter Cross Site Scripting Attempt 2"; flow:established,to_server; content:"/shipping/pages/popup_shipping/js_include.php?"; nocase; http_uri; content:"form="; http_uri; nocase; pcre:"/form\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/98756/PhreeBooksR30RC4-xss.txt; reference:url,exploit-db.com/exploits/16249/; classtype:web-application-attack; sid:2012419; rev:2;) # +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Likseput.B Checkin 2"; flow:from_server,established; file_data; content:"\|3c 21 2d 2d 0d 0a 3c\|img border="; nocase; distance:0; content:"\|2f 23\|KX8\|2E\|"; distance:5; within:64; fast_pattern; pcre:"/^\x3c\x21\x2d\x2d\x0d\x0a\x3cimg\x20border=\d+\x20src=\x22\S+\x2f\x23KX8\x2e/mi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fLikseput.B; classtype:trojan-activity; sid:2016428; rev:3;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanDownloader Win32/Harnig.gen-P Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bhanx.php?"; http_uri; nocase; content:"adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&p="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=40d1819b9c3c85e1f3b7723c7a9118ad; classtype:trojan-activity; sid:2012438; rev:4;) # @@ -44624,6 +44651,9 @@ ##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition\|3a\| attachment\|3b\|"; nocase; content:"filename=\|22\|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip\|22\| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2;) # +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Inbound bad attachment v.5"; flow:established,to_server; content:"Content-Disposition\|3a\| attachment\|3b\|"; nocase; content:"filename=\|22\|UPS"; nocase; content:".zip\|22\|"; nocase; pcre:"/ups(_parcel_delivery-tracking-notice-\|-Delivery-Notification-Message_)\S\.zip/Ui"; classtype:trojan-activity; sid:2012443; rev:1;) + +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From\|3a\| \|22\|United Parcel Service\|22\|"; nocase; content:"\|40\|ups.com"; nocase; content:"Content-Disposition\|3a\| attachment\|3b\|"; nocase; content:"filename=\|22\|document.zip\|22\|"; nocase; classtype:trojan-activity; sid:2012444; rev:2;) # @@ -44678,7 +44708,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible JKDDOS download cl.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cl.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012461; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:2;) # alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET P2P Ocelot BitTorrent Server in Use"; flow:established,from_server; content:"HTTP/1.1 200 \|0d 0a\|Server\|3a\| Ocelot "; depth:30; classtype:policy-violation; sid:2012467; rev:4;) @@ -44756,9 +44786,15 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Presto)"; flow:established,to_server; content:"User-Agent\|3a\| Opera/10.60 Presto/2.2.30"; http_header; content:!"Accept"; http_header; classtype:trojan-activity; sid:2012491; rev:7;) # +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"\|40\|dhl.com"; nocase; content:"Content-Disposition\|3A\| attachment\|3b\|"; nocase; content:".zip\|22\|"; nocase; classtype:trojan-activity; sid:2012492; rev:1;) + +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition\|3A\| attachment\|3b\|"; content:"\|22\|filename=dhl_"; nocase; content:".zip\|22\|"; nocase; classtype:trojan-activity; sid:2012493; rev:2;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Trup.CX Checkin 1"; flow:to_server,established; content:"/sms/do\|2e\|php?userid="; nocase; offset:4; depth:19; content:"&time="; nocase; within:64; content:"&msg="; nocase; within:32; content:"&pauid="; nocase; within:128; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Agent.AAE; classtype:trojan-activity; sid:2016951; rev:4;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV InstallInternetDefender Download"; flow:established,from_server; content:"attachment\|3b 20\|filename=\|22\|InstallInternetDefender_"; http_header; nocase; classtype:trojan-activity; sid:2012494; rev:1;) # @@ -44789,7 +44825,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"\|45 57 73 09\|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"\| 50 4B 03 04 \|"; content:"\|2F 6D 65 64 69 61 2F 69 6D 61 67 65 \|"; within:64; content:"\| 2E 65 6D 66 \|"; within:15; rawbytes; classtype:bad-unknown; sid:2012504; rev:6;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"\| 50 4B 03 04 \|"; content:"\|2F 6D 65 64 69 61 2F 69 6D 61 67 65 \|"; within:64; content:"\| 2E 65 6D 66 \|"; within:15; classtype:bad-unknown; sid:2012504; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Monkif Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/photo/"; http_uri; content:"6x5x5772=712x5772=716x"; http_uri; classtype:trojan-activity; sid:2012505; rev:3;) @@ -44996,25 +45032,25 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"SELECT"; http_uri; nocase; content:"FROM"; http_uri; nocase; pcre:"/SELECT.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012575; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012576; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UNION SELECT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/UNION.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012576; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012577; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012578; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field DELETE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; http_uri; nocase; pcre:"/DELETE.+FROM/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012578; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012579; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012580; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED mySeatXT SQL Injection Attempt autocomplete.php field UPDATE"; flow:established,to_server; content:"/web/classes/autocomplete.php?"; nocase; http_uri; content:"field="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/98636/mySeatXT0.164-SQL.txt; classtype:web-application-attack; sid:2012580; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/lazyest-gallery/lazyest-popup.php?"; nocase; http_uri; content:"image="; http_uri; nocase; pcre:"/image\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_lazyest_gallery_wordpress_plugin.html; reference:url,secunia.com/advisories/43661/; classtype:web-application-attack; sid:2012581; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012582; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED Interleave basicstats.php AjaxHandler Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/basicstats.php?"; nocase; http_uri; content:"AjaxHandler="; nocase; http_uri; pcre:"/AjaxHandler\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:bugtraq,46771; reference:url,xforce.iss.net/xforce/xfdb/65942; reference:url,packetstorm.linuxsecurity.com/1103-exploits/Interleave5.5.0.2-xss.txt; classtype:web-application-attack; sid:2012582; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework appMVCPath Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/mvc/ardeaMVC.php?"; nocase; http_uri; content:"appMVCPath="; http_uri; nocase; pcre:"/appMVCPath=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012583; rev:2;) @@ -45098,7 +45134,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Sample"; flow:established,to_server; content:"User-Agent\|3A\| sample"; nocase; http_header; classtype:trojan-activity; sid:2012611; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:!".taobao.com\|0d 0a\|"; http_header; content:!"client.dict.cn\|0d 0a\|"; http_header; content:"HTTP/1.1\|0d 0a\|User-Agent"; fast_pattern:only; content:"\|20\|HTTP/1.1\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0\|20\|(compatible\|3b 20\|MSIE\|20\|"; content:!"8"; within:1; content:"\|3b 20\|Windows\|20\|NT\|20\|"; distance:0; content:")\|0d 0a\|Host\|3a 20\|"; distance:0; content:"Cache-Control\|3a 20\|no-cache\|0d 0a 0d 0a\|"; distance:0; content:!"\|0d 0a\|Accept"; classtype:trojan-activity; sid:2012612; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?"; http_uri; content:!".taobao.com\|0d 0a\|"; http_header; content:!".dict.cn\|0d 0a\|"; http_header; content:"HTTP/1.1\|0d 0a\|User-Agent"; fast_pattern:only; content:"\|20\|HTTP/1.1\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0\|20\|(compatible\|3b 20\|MSIE\|20\|"; content:!"8"; within:1; content:"\|3b 20\|Windows\|20\|NT\|20\|"; distance:0; content:")\|0d 0a\|Host\|3a 20\|"; distance:0; content:"Cache-Control\|3a 20\|no-cache\|0d 0a 0d 0a\|"; distance:0; content:!"\|0d 0a\|Accept"; classtype:trojan-activity; sid:2012612; rev:10;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyeEye Trojan Request file=grabbers"; flow:established,to_server; content:".php?file="; nocase; http_uri; content:"grabber"; distance: 0; http_uri; classtype:trojan-activity; sid:2012613; rev:4;) @@ -45131,7 +45167,7 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S\|00\|W\|00\|F\|00\|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:"</title><script src=http\|3a\|//"; nocase; content:"/ur.php></script>"; within:100; classtype:attempted-user; sid:2012624; rev:3;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:"</title><script src=http\|3a\|//"; nocase; content:"/ur.php></script>"; within:100; classtype:attempted-user; sid:2012624; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:2;) @@ -45206,6 +45242,9 @@ alert udp $HOME_NET 17500 -> any 17500 (msg:"ET POLICY Dropbox Client Broadcasting"; content:"{\|22\|host_int\|22 3a\| "; depth:13; content:" \|22\|version\|22 3a\| ["; distance:0; content:"], \|22\|displayname\|22 3a\| \|22\|"; distance:0; threshold:type limit, count 1, seconds 3600, track by_src; classtype:policy-violation; sid:2012648; rev:3;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Related Lame Updater User-Agent"; flow:established,to_server; content:"User-Agent\|3a 20\|LameUpdater"; http_header; classtype:trojan-activity; sid:2017347; rev:3;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dooptroop Dropper Checkin"; flow:established,to_server; content:".php?rev="; http_uri; content:"&code="; http_uri; content:"&param="; http_uri; content:"&num="; http_uri; content:"User-Agent\|3a 20\|Explorer"; http_header; fast_pattern; classtype:trojan-activity; sid:2013808; rev:2;) # @@ -45215,6 +45254,12 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host\|3a\| "; http_header; content:".ru\|0d 0a\|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:3;) # +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive"; flow:from_server,established; dsize:<100; content:"ping\|7c\|"; depth:5; classtype:trojan-activity; sid:2017990; rev:11;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response"; flow:to_server,established; dsize:<100; content:"pong\|7c\|"; depth:5; classtype:trojan-activity; sid:2017991; rev:6;) + +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012672; rev:3;) # @@ -45257,7 +45302,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012654; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:5;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012655; rev:2;) @@ -45323,6 +45368,9 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY LoJack asset recovery/tracking - not malicious"; flow:established,to_server; content:"POST\|20\|/\|20\|HTTP/1.1\|0d 0a\|TagId\|3a 20\|"; content:"\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0\|20\|(compatible\|3b 20\|MSIE\|20\|6.0\|3b\|)\|0d 0a\|Host\|3a 20\|"; distance:0; content:".namequery.com\|0d 0a\|Content"; distance:0; fast_pattern; threshold: type limit, count 2, seconds 300, track by_src; reference:url,www.absolute.com/en/lojackforlaptops/home.aspx; classtype:attempted-recon; sid:2012689; rev:4;) # +alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System"; flow:established; dsize:<160; content:"Microsoft Windows [Version "; depth:30; content:"Copyright (c)"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2012690; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host visiting Showmyipaddress.com - Possible Trojan"; flow:established,to_server; content:"Host\|3a\| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:1;) # @@ -45374,7 +45422,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS vtiger CRM service parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/vtigerservice.php?"; nocase; http_uri; content:"service="; nocase; http_uri; pcre:"/service\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/100183/vtigerCRM5.2.1-XSS.txt; classtype:web-application-attack; sid:2012706; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious double HTTP Header possible botnet CnC"; flow:from_server,established; content:"HTTP/1.1 200"; depth:12; content:"Server\|3a\| Apache"; within:50; content:"Server\|3a\|nginx"; fast_pattern; within:150; classtype:trojan-activity; sid:2012707; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Suspicious double Server Header"; flow:from_server,established; content:"HTTP/1.1 200"; depth:12; content:"Server\|3a\| Apache"; within:50; content:"Server\|3a\|nginx"; fast_pattern; within:150; classtype:trojan-activity; sid:2012707; rev:3;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER HTTP 414 Request URI Too Large"; flow:from_server,established; content:"414"; http_stat_code; content:"Request-URI Too Large"; nocase; classtype:web-application-attack; sid:2012708; rev:4;) @@ -45467,6 +45515,9 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain .8866.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|8866\|03\|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:6;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Trojan.Win32.VBKrypt.cugq Checkin"; flow:to_server,established; content:"/bot.php"; http_uri; content:"User-Agent\|3A\| umbra"; nocase; http_header; reference:url,www.securelist.com/en/descriptions/10316591/Trojan.Win32.VBKrypt.cugq; reference:url,www.mcafee.com/threat-intelligence/malware/default.aspx?id=456326; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-RDK/detailed-analysis.aspx; reference:md5,79e24434a74a985e1c64925fd0ac4b28; classtype:trojan-activity; sid:2017348; rev:3;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\|3a\| Mozilla/3.0 (compatible\|3b\| Indy Library)"; http_header; content:"/taskx.txt"; http_uri; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:1;) # @@ -45587,13 +45638,16 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious IAT SetKeyboardState - Can Be Used for Keylogging"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"SetKeyboardState"; nocase; distance:0; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:misc-activity; sid:2012780; rev:4;) # +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS Possible Hiloti DNS Checkin Message explorer_exe"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"explorer_exe"; nocase; distance:0; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2012781; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; content:"StartUpdata.ini"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; nocase; content:"active.txt"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 8118 (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; content:"active.txt"; nocase; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Egypack/1.0 User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent\|3a 20\|Egypack"; http_header; reference:url,www.vbulletin.com/forum/showthread.php/338741-vBulletin-Footer-SQL-Injection-Hack; classtype:trojan-activity; sid:2012785; rev:2;) @@ -45635,7 +45689,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebAuction lang parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/lib/jscalendar/test.php?"; nocase; http_uri; content:"lang="; nocase; http_uri; pcre:"/lang\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/view/101056/WebAuction0.3.6-XSS.txt; classtype:web-application-attack; sid:2012797; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; content:"/images2/"; nocase; http_uri; pcre:"/\/images2\/[0-9a-fA-F]{500,}/U"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2012799; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 1"; flow:established,to_server; content:"/images2/"; nocase; http_uri; fast_pattern:only; pcre:"/\/images2\/[0-9a-fA-F]{500}/U"; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; reference:url,www9.dyndns-server.com%3a8080/pub/botnet-links.html; classtype:trojan-activity; sid:2012799; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ponmocup C2 Sending Data to Controller 2"; flow:established,to_server; content:"/cgi-bin/rokfeller3.cgi?v=11"; nocase; http_uri; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012800; rev:2;) @@ -45659,7 +45713,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT QuickTime Remote Exploit (exploit specific)"; flow:established,to_client; file_data; content:"\|2f 2f\|mshtml\|2e\|dll"; nocase; distance:0; content:"unescape\|28\|"; nocase; distance:0; content:"onload"; nocase; distance:0; content:"ObjectLoad\|28\|"; within:32; pcre:"/src\s\x3d\s\x22res\x3a\x2f\x2fmshtml\x2edll/"; reference:url,www.1337day.com/exploits/16077; classtype:attempted-user; sid:2012806; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Possible g01pack Exploit Pack Malicious JAR File Request"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; content:"User-Agent\|3a\|"; nocase; http_header; content:"Java/"; within:200; http_header; pcre:"/\/[0-9a-f]{32}\.jar$/U"; reference:url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/; reference:url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx; classtype:attempted-user; sid:2012807; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible g01pack Exploit Pack Malicious JAR File Request"; flow:established,to_server; content:".jar"; http_uri; fast_pattern; content:"User-Agent\|3a\|"; nocase; http_header; content:"Java/"; within:200; http_header; pcre:"/\/[0-9a-f]{32}\.jar$/U"; reference:url,blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/; reference:url,community.websense.com/blogs/securitylabs/archive/2011/04/19/Mass-Injections-Leading-to-g01pack-Exploit-Kit.aspx; classtype:attempted-user; sid:2012807; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress DB XML dump attempted access"; flow:established,to_server; content:"/uploads/"; http_uri; content:".wordpress.20"; http_uri; distance:0; content:".xml_.txt"; http_uri; distance:0; fast_pattern; reference:url,seclists.org/fulldisclosure/2011/May/322; classtype:attempted-recon; sid:2012808; rev:1;) @@ -45674,6 +45728,9 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .tk domain - Likely Hostile"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|tk\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2012811; rev:1;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.Alsci/Dragon Eye RAT Checkin (sending user info)"; flow:to_server,established; content:"Auth"; nocase; depth:4; content:" @ "; within:128; content:"\|5C 23 2F\|"; within:128; content:"\|5C 23 2F\|"; within:32; content:"\|5C 23 2F\|"; within:20; reference:url,www.threatexpert.com/report.aspx?md5=e7d9bc670d69ad8a6ad2784255324eec; reference:url,www.threatexpert.com/report.aspx?md5=37207835e128516fe17af3dacc83a00c; classtype:trojan-activity; sid:2016913; rev:4;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Malicious Facebook Javascript"; flow:established,to_client; content:"eval\|28\|function\|28\|p,a,c,k,e,"; nocase; content:"replace\|28\|newRegExp\|28\|"; nocase; distance:0; content:"SocialGraphManager"; fast_pattern; nocase; distance:0; reference:url,blog.trendmicro.com/dubious-javascript-code-found-in-facebook-application/; classtype:bad-unknown; sid:2012812; rev:2;) # @@ -45965,6 +46022,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent Fragment (WORKED)"; flow:established,to_server; content:"WORKED"; http_header; pcre:"/User-Agent\x3a[^\n]+WORKED/H"; classtype:trojan-activity; sid:2012909; rev:2;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious user agent (Google page)"; flow:to_server,established; content:"User-Agent\|3a\| Google page"; nocase; http_header; classtype:trojan-activity; sid:2017067; rev:3;) + +# #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CPL Trojan Downloader Request"; flow:established,to_server; content:".cpl?\|20\|HTTP/1.1"; nocase; content:!"Referer\|3a 20\|"; http_header; classtype:trojan-activity; sid:2012910; rev:5;) # @@ -46352,10 +46412,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; content:"POST"; http_method; content:"/ProtocolGW/protocol/"; nocase; http_uri; pcre:"/\x2FProtocolGW\x2Fprotocol\x2F(commandstatus\|commands\|activate\|bookmarks\|dumplog\|history\|installation\|shortcuts)/Ui"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST"; flow:established,to_server; content:"POST"; http_method; content:"/ProtocolGW/protocol/"; nocase; http_uri; pcre:"/(?:(?:command(?:statu)?\|bookmark\|shortcut)s\|h(?:omepage\|istory)\|eula(?:status)?\|installation\|activate\|dumplog)/Ui"; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013042; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; content:"POST"; http_method; content:"action=get&applicationID="; http_client_body; nocase; depth:25; content:"&developerId="; nocase; distance:0; content:"&deviceId="; nocase; distance:0; content:"android.permission"; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Android.Plankton/Tonclank Successful Installation Device Information POST Message Body"; flow:established,to_server; content:"POST"; http_method; content:"action=get&applicationID="; http_client_body; nocase; depth:25; content:"&developerId="; http_client_body; nocase; distance:0; content:"&deviceId="; http_client_body; nocase; distance:0; content:"android.permission"; http_client_body; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013043; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; file_data; content:"url=http\|3A\|//"; nocase; within:11; content:"ProtocolGW/\|3B\|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:2;) @@ -46451,7 +46511,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1."; content:"\|0d 0a\|Accept\|3a\| /\|0d 0a\|Connection\|3a\| Close\|0d 0a\|User-Agent\|3a\| "; distance:1; within:46; content:"\|0d 0a\|Host\|3a\| "; distance:0; content:!"\|0d 0a\|Referer\|3a\| "; nocase; content:"/webhp"; http_uri; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013076; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:1;) @@ -46499,7 +46559,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Clickfraud Framework Request"; flow:to_server,established; content:"/go.php?uid="; http_uri; fast_pattern; content:"&data="; http_uri; urilen:>500; classtype:bad-unknown; sid:2013093; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d]$/U"; classtype:bad-unknown; sid:2013094; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; pcre:"/\/\?[0-9a-f]{60,66}[\;\d\x2c]$/U"; classtype:bad-unknown; sid:2013094; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/nagios/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; fast_pattern; http_uri; nocase; pcre:"/expand\x3D.+(script\|alert\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange)/Ui"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:1;) @@ -46580,6 +46640,9 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 7580 (msg:"ET SCADA Siemens FactoryLink 8 CSService Logging Buffer Overflow Vulnerability"; flow:established,to_server; content:"CSService"; nocase; isdataat:1000,relative; content:!"\|0A\|"; within:1000; reference:url,packetstormsecurity.org/files/view/102579/factorylink_csservice.rb.txt; classtype:denial-of-service; sid:2013120; rev:1;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Sluegot.A Checkin WEBC2-YAHOO APT1 Related"; flow:to_server,established; content:"User-Agent\|3a\| IPHONE"; http_header; pcre:"/User-Agent\x3a\sIPHONE\d+\x2e\d+\x28(host\x3a\|[^\r\n\x2c]+\x2c(\d{1,3}\.){3}\d{1,3})/Hi"; reference:url,www.securelist.com/en/descriptions/24052976/Trojan.Win32.Scar.ddxe; reference:md5,0149b7bd7218aab4e257d28469fddb0d; reference:md5,6f9992c486195edcf0bf2f6ee6c3ec74; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016461; rev:3;) + +# ##alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.VB.OWR Checkin"; flow:to_server,established; content:"\|12 01 00\|"; depth:3; content:"\|00 00 00 00 00 00 15 00 06 01 00 1B 00 01 02 00 1C 00\|"; within:19; reference:url,www.threatexpert.com/report.aspx?md5=7684532e7e1d717427f6842e9d5ecd56; reference:url,anubis.iseclab.org/?action=result&task_id=1ac5dbffd86ddd7f49da78a66fbeb6c37&format=txt; classtype:trojan-activity; sid:2013121; rev:3;) # @@ -46739,10 +46802,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound"; flow:established,to_server; content:"User-Agent\|3a\| Atomic_Email_Hunter/"; fast_pattern:12,20; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013174; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:2013175; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"User-Agent\|3a\| Egypack"; nocase; http_header; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/showthread.php/338741-vBulletin-Footer-SQL-Injection-Hack; classtype:trojan-activity; sid:2013176; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"User-Agent\|3a\| Egypack"; nocase; http_header; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013176; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Artro Downloader User-Agent Detected"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/5.0 (Windows NT 6.1\|3b\| wget 3.0\|3b\| rv\|3a\|5.0) Gecko/20100101 Firefox/5.0"; http_header; fast_pattern:20,20; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; classtype:trojan-activity; sid:2013184; rev:5;) @@ -46853,7 +46916,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN GhOst Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; content:"GhOst"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:trojan-activity; sid:2013214; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 83 (msg:"ET TROJAN W32/Alworo CnC Checkin"; flow:established,to_server; content:".php?userid="; nocase; content:"&time="; nocase; distance:0; content:"&msg="; nocase; distance:0; content:"&ver="; nocase; distance:0; content:"&pauid="; nocase; distance:0; content:"&checkId="; nocase; distance:0; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2; classtype:trojan-activity; sid:2013215; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 83 (msg:"ET DELETED W32/Alworo CnC Checkin"; flow:established,to_server; content:".php?userid="; nocase; content:"&time="; nocase; distance:0; content:"&msg="; nocase; distance:0; content:"&ver="; nocase; distance:0; content:"&pauid="; nocase; distance:0; content:"&checkId="; nocase; distance:0; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062909-5644-99&tabid=2; classtype:trojan-activity; sid:2013215; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP Via myip.ozymo.com"; flow:established,to_server; content:"myip.ozymo.com"; fast_pattern:only; nocase; http_header; classtype:attempted-recon; sid:2013217; rev:1;) @@ -46874,7 +46937,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap\|2E\|"; nocase; distance:0; content:"Heap\|2E\|"; nocase; distance:0; content:"Heap\|2E\|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent\|3a\|"; http_header; content:".exe\|0d 0a\|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"\|5C\|Citrix\|5C\|ICA Client\|5C\|"; nocase; http_header; content:!"vsee.exe\|0d 0a\|"; nocase; http_header; classtype:trojan-activity; sid:2013224; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/PolyCrypt.A Checkin"; flow:to_server,established; content:"?action="; http_uri; content:"&username="; http_uri; content:"&password="; http_uri; content:"&app="; http_uri; content:"&pcname="; fast_pattern:only; http_uri; content:"&sitename="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=44be7c6d4109ae5fb0ceb2824facf2dd; classtype:trojan-activity; sid:2016941; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:".exe\|0d 0a\|"; fast_pattern:only; http_header; nocase; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"\|5C\|Citrix\|5C\|ICA Client\|5C\|"; nocase; http_header; content:!"vsee.exe\|0d 0a\|"; nocase; http_header; content:!"CTX_"; http_uri; classtype:trojan-activity; sid:2013224; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/IRCBrute Checkin 2"; flow:established,to_server; content:"/Dialer_Min/telcom.asp"; nocase; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~DwnLdr-IRB/detailed-analysis.aspx; classtype:trojan-activity; sid:2013225; rev:2;) @@ -46913,7 +46979,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type\|3a 20\|text/html"; content:"\|0d 0a\|<html><body><div\|20\|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden\|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.aspk?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Infected Device Registration"; flow:established,to_server; content:"/RegistUid.asp"; fast_pattern:only; http_uri; nocase; content:"?pid="; nocase; http_uri; content:"&cid="; nocase; http_uri; content:"&imei="; nocase; http_uri; content:"&sim="; nocase; http_uri; content:"&imsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013238; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:2;) @@ -47039,13 +47105,13 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flowbits:isset,ET.flash.pdf; flow:established,to_client; content:"\|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E\|"; fast_pattern:only; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:1;) # -alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN DarkComet-RAT init connection"; flow:from_server,established; dsize:12; content:"\|38 45 41 34 41 42 30 35 46 41 37 45\|"; flowbits:set,ET.DarkCometJoin; flowbits:noalert; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013283; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN DarkComet-RAT init connection"; flow:from_server,established; dsize:12; content:"\|38 45 41 34 41 42 30 35 46 41 37 45\|"; flowbits:set,ET.DarkCometJoin; flowbits:noalert; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013283; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DarkComet-RAT server join acknowledgement"; flow:to_server,established; dsize:12; content:"\|39 34 41 35 41 44 30 41 45 46 36 39\|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013284; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkComet-RAT server join acknowledgement"; flow:to_server,established; dsize:12; content:"\|39 34 41 35 41 44 30 41 45 46 36 39\|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; reference:url,anubis.iseclab.org/?action=result&task_id=1a7326f61fef1ecb4ed4fbf3de3f3b8cb&format=txt; classtype:trojan-activity; sid:2013284; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DarkComet-RAT Client Keepalive"; flow:to_server,established; dsize:12; content:"\|39 34 41 35 41 44 30 41 45 46 36 39\|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; classtype:trojan-activity; sid:2013285; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN DarkComet-RAT Client Keepalive"; flow:to_server,established; dsize:12; content:"\|39 34 41 35 41 44 30 41 45 46 36 39\|"; flowbits:isset,ET.DarkCometJoin; reference:url,www.darkcomet-rat.com; classtype:trojan-activity; sid:2013285; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Jadtre Retrieving Cfg File"; flow:established,to_server; content:"/tool/mavatarcfg/"; http_uri; content:".cfg"; http_uri; pcre:"/\x2F(data\|main\|patch)\x2Ecfg/U"; classtype:trojan-activity; sid:2013286; rev:1;) @@ -47159,7 +47225,7 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Node Server Type"; flow:established,to_client; content:"Server\|3A\| Dict/"; fast_pattern:only; http_header; classtype:trojan-activity; sid:2013326; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"f0="; http_client_body; depth:3; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"f0="; http_client_body; depth:3; content:"&b0="; distance:0; http_client_body; content:"&pid="; distance:0; http_client_body; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query for Known Hostile Domain gooqlepics com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|gooqlepics\|03\|com\|00\|"; fast_pattern:only; reference:url,blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html; classtype:bad-unknown; sid:2013328; rev:2;) @@ -47201,13 +47267,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV/Application JPDesk/Delf checkin"; flow:established,to_server; content:"\|2f 3f\|data="; http_uri; nocase; content:"jpdesk.com\|0d 0a\|"; nocase; http_header; pcre:"/\x2f\x3fdata\x3d[a-fA-F0-9]{60}/U"; reference:url,www.threatexpert.com/report.aspx?md5=08f116cf4feff245dca581244e4f509c; classtype:trojan-activity; sid:2013340; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisproc Variant POST to CnC Server"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/GetGrid.asp"; http_uri; content:"SN="; http_client_body; depth:3; content:"&SP="; distance:0; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=04dc87d4dcf12f9c05a22ab9890a6323; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSisproc&ThreatID=-2147342628; classtype:trojan-activity; sid:2013342; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisproc Variant POST to CnC Server"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/GetGrid.asp"; http_uri; content:"SN="; http_client_body; depth:3; content:"&SP="; http_client_body; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=04dc87d4dcf12f9c05a22ab9890a6323; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FSisproc&ThreatID=-2147342628; classtype:trojan-activity; sid:2013342; rev:3;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan Dropper User-Agent Firefox/3.6.3"; flow:established,to_server; content:"User-Agent\|3A\| Firefox/3.6.3"; http_header; classtype:trojan-activity; sid:2013341; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 806 (msg:"ET TROJAN Backdoor W32/Phanta Checkin"; flow:established,to_server; content:"/do.php?userid="; content:"&time="; distance:0; content:"&msg="; distance:0; content:"&ver="; distance:0; content:"&os="; distance:0; content:"&fy="; distance:0; content:"&pauid="; distance:0; content:"&checkId="; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A; reference:url,www.threatexpert.com/report.aspx?md5=0012a0b60572dfa4f42a4325507841d8; classtype:trojan-activity; sid:2013343; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 806 (msg:"ET DELETED Backdoor W32/Phanta Checkin"; flow:established,to_server; content:"/do.php?userid="; content:"&time="; distance:0; content:"&msg="; distance:0; content:"&ver="; distance:0; content:"&os="; distance:0; content:"&fy="; distance:0; content:"&pauid="; distance:0; content:"&checkId="; distance:0; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A; reference:url,www.threatexpert.com/report.aspx?md5=0012a0b60572dfa4f42a4325507841d8; classtype:trojan-activity; sid:2013343; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 6060 (msg:"ET TROJAN Unknown Trojan Checkin to CnC Server"; flow:established,to_server; content:"GET /passport.asp?ID="; depth:21; content:"&fn="; distance:0; content:"&Var="; distance:0; classtype:trojan-activity; sid:2013344; rev:3;) @@ -47246,12 +47312,21 @@ alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com. "; content:"\|07\|blogger\|03\|com"; nocase; content:!"\|00\|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3;) # +#alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET DELETED Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"\|09\|wordpress\|03\|com"; nocase; content:!"\|00\|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013356; rev:2;) + +# +alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"\|09\|wordpress\|03\|com"; nocase; content:!"\|00\|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1;) + +# alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"\|03\|img\|07\|youtube\|03\|com"; nocase; content:!"\|00\|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2;) # alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"\|06\|upload\|09\|wikimedia\|03\|com"; nocase; content:!"\|00\|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2;) # +alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - photobucket.com.* "; content:"\|0b\|photobucket\|03\|com"; nocase; content:!"\|00\|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013360; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic.KD.291903/Win32.TrojanClicker.Agent.NII Nconfirm Checkin"; flow:to_server,established; content:"/nconfirm.php?rev="; http_uri; content:"&code="; http_uri; content:"&param="; http_uri; content:"&num="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014398; rev:3;) ##by Joe Stewart @@ -47267,6 +47342,9 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS windows_security_update Fake AV download"; flow:established,from_server; file_data; content:"filename=\|22\|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:4;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shady Rat/HTran style HTTP Header Pattern Request UHCa and Google MSIE UA"; flow:established,to_server; content:" HTTP/1.1\|0d 0a\|User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Win32\|3b\|Google\|3b\|)\|0d 0a\|Host\|3a\| "; fast_pattern:54,20; content:"\|0d 0a\|Cache-Control\|3a\| no-cache\|0d 0a 0d 0a\|"; within:70; reference:url,www.secureworks.com/research/threats/htran/; classtype:trojan-activity; sid:2016429; rev:3;) + +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PUT Website Defacement Attempt"; flow:established,to_server; content:"PUT"; http_method; content:"<title>.\|3a 3a\|[+] Defaced by "; nocase; http_client_body; classtype:web-application-attack; sid:2013365; rev:1;) # @@ -47291,7 +47369,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Oliga Fake User Agent"; flow:established,to_server; content:"User-Agent\|3A\| Mozilla/4.75 [en]"; http_header; fast_pattern:11,18; classtype:trojan-activity; sid:2013372; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV oms.php Data Post"; flow:established,to_server; content:"POST"; nocase; nocase; http_method; content:"/oms.php"; http_uri; content:"data="; http_client_body; depth:5; classtype:trojan-activity; sid:2013373; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV oms.php Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/oms.php"; http_uri; content:"data="; http_client_body; depth:5; classtype:trojan-activity; sid:2013373; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV User-Agent XML"; flow:established,to_server; content:"User-Agent\|3A\| XML\|0D 0A\|"; http_header; classtype:trojan-activity; sid:2013374; rev:1;) @@ -47330,7 +47408,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/FakeAlert Fake Security Tool Checkin"; flow:established,to_server; content:"==/count.htm"; http_uri; reference:url,threatexpert.com/reports.aspx?find=03abdc31d0f864c7b69b09d6481d3ff7; classtype:trojan-activity; sid:2013386; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent Ryeol HTTP Client Class"; flow:established,to_server; content:"User-Agent\|3A 20\|Ryeol HTTP Client Class"; http_header; classtype:trojan-activity; sid:2013387; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User Agent Ryeol HTTP Client Class"; flow:established,to_server; content:"User-Agent\|3A 20\|Ryeol HTTP Client Class"; http_header; classtype:trojan-activity; sid:2013387; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; content:"User-Agent\|3A\| MM "; http_header; pcre:"/User-Agent\x3a MM \d\.\d+\x0d\x0a/H"; classtype:trojan-activity; sid:2013388; rev:3;) @@ -47492,7 +47570,7 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; file_data; content:"\|7C\|"; distance:2; within:1; content:"\|7c\|"; distance:2; within:4; content:"http\|3A 2F 2F\|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:trojan-activity; sid:2013440; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; content:"Content-Type\|3A 20\|audio\|2F\|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; content:"Content-Type\|3A 20\|audio\|2F\|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:5;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type\|3A 20\|audio\|2F\|"; http_header; nocase; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:2;) @@ -47525,7 +47603,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; depth:11; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:trojan-activity; sid:2013451; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (go-diva)"; flow:to_server,established; content:"User-Agent\|3a\| go-diva"; http_header; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:trojan-activity; sid:2013452; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (go-diva)"; flow:to_server,established; content:"User-Agent\|3a\| go-diva"; http_header; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:trojan-activity; sid:2013452; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY CNET Custom Installer Possible Bundled Bloatware"; flow:established,to_server; content:"GET"; http_method; content:"/rest/"; http_uri; content:"/softwareProductLink?"; http_uri; content:"productSetId="; http_uri; content:!"User-Agent\|3a\| "; http_header; content:!"Referer\|3a\| "; http_header; reference:url,www.extremetech.com/computing/93504-download-com-wraps-downloads-in-bloatware-lies-about-motivations; classtype:policy-violation; sid:2013453; rev:2;) @@ -47564,7 +47642,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DOS Skype FindCountriesByNamePattern property Buffer Overflow Attempt Format String Function Call"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SkypePNRLib.PNR"; nocase; distance:0; content:".FindCountriesByNamePattern"; nocase; reference:url,garage4hackers.com/f43/skype-5-x-activex-crash-poc-981.html; classtype:attempted-user; sid:2013463; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range\|3a\|"; nocase; http_header; content:"bytes="; http_header; fast_pattern; nocase; distance:0; isdataat:10,relative; content:","; http_header; within:11; isdataat:10,relative; content:","; http_header; within:11; isdataat:10,relative; content:","; http_header; within:11; isdataat:70,relative; content:!"\|0d 0a\|"; within:12; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100,}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Apache mod_deflate DoS via many multiple byte Range values"; flow:established,to_server; content:"Range\|3a\|"; nocase; http_header; content:"bytes="; http_header; fast_pattern; nocase; distance:0; isdataat:10,relative; content:","; http_header; within:11; isdataat:10,relative; content:","; http_header; within:11; isdataat:10,relative; content:","; http_header; within:11; isdataat:70,relative; content:!"\|0d 0a\|"; within:12; http_header; pcre:"/Range\x3a\s?bytes=[-0-9,\x20]{100}/iH"; reference:url,seclists.org/fulldisclosure/2011/Aug/175; classtype:attempted-dos; sid:2013473; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress UnGallery pic Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/ungallery/source_vuln.php?"; http_uri; nocase; content:"pic="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/99004/RhinOS3.0r1113-lfi.txt; classtype:web-application-attack; sid:2013464; rev:2;) @@ -47606,7 +47684,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS .pdf.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition\|3a\| attachment\|3b\| filename="; nocase; http_header; content:".pdf.exe"; nocase; distance:0; http_header; fast_pattern; classtype:bad-unknown; sid:2013478; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection (Outbound)"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS query for Morto RDP worm related domain qfsl.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|qfsl\|03\|net"; fast_pattern; reference:url,www.f-secure.com/weblog/archives/00002227.html; classtype:bad-unknown; sid:2013480; rev:1;) @@ -47714,7 +47792,7 @@ #alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Potential DNS Command and Control via TXT queries"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|00 00 10 00 01\|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013514; rev:2;) # -alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET TROJAN Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:4; content:"\|00 00 10 00 01\|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:2;) +#alert tcp $HOME_NET 1023: -> $EXTERNAL_NET 53 (msg:"ET TROJAN Potential DNS Command and Control via TXT queries"; flow:established,to_server; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:4; content:"\|00 00 10 00 01\|"; threshold:type both, track by_src,count 10, seconds 300; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015625.html; classtype:trojan-activity; sid:2013515; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN TR/Spy.Gen checkin via dns ANY query"; content:"\|01 00 00 01 00 00 00 00 00 00 32\|"; depth:11; offset:2; content:"\|00 00 FF 00 01\|"; pcre:"/\x32[0-9a-f]{50}/"; reference:url,anubis.iseclab.org/?action=result&task_id=1623d5fd288be7024e56c5bd38359c33c; reference:url,mwanalysis.org/?page=report&analysisid=430235&password=wwgcvyheon; reference:url,www.threatexpert.com/report.aspx?md5=2519bdb5459bc9f59f59cd7ccb147d23; classtype:trojan-activity; sid:2013516; rev:1;) @@ -47792,7 +47870,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; content:".php?pi="; fast_pattern:only; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; content:"User-Agent\|3a\| Mozilla/4.0(compatible\|3b\| MSIE 6.0)\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2013540; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32)"; flow:established,to_server; content:"User-Agent\|3A 20\|Revolution"; http_header; reference:url,threatexpert.com/report.aspx?md5=1431f4ab4bbe3ad1087eb14cf4d7dff9; classtype:trojan-activity; sid:2013542; rev:1;) @@ -47822,16 +47900,19 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer\|3a\|"; http_header; content:"User-Agent\|3a\|"; http_header; content:"Host\|3a\|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:4;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.FresctSpy.A User-Agent (MBVDFRESCT)"; flow:to_server,established; content:"User\|2d\|Agent\|3a\| MBVDFRESCT"; nocase; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FAgent.CZ; classtype:trojan-activity; sid:2016908; rev:3;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=\|22\|C\|3a 5c\|Program Files\|5c\|java\|5c\|jre6\|5c\|lib\|5c\|ext\|22\| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=\|22\|C\|3a 5c\|Program Files (x86)\|5c\|java\|5c\|jre6\|5c\|lib\|5c\|ext\|22\| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; content:"<applet code=\|27\|buildService.MapYandex.class\|27\|"; content:".jar"; content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:3;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet code=\|27\|buildService.MapYandex.class\|27\|"; content:".jar"; content:"</applet>"; classtype:bad-unknown; sid:2013553; rev:5;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"\|0d 0a\|Content-Type\|3a 20\|application/java-archive\|0d 0a\|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:4;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"\|0d 0a\|Content-Type\|3a 20\|application/java-archive\|0d 0a\|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; classtype:bad-unknown; sid:2013554; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fivfrom Downloader (Unitrix)"; flow:established,to_server; content:".php?seller="; http_uri; content:"&hash={"; http_uri; pcre:"/hash=\{[a-f0-9]+-/Ui"; classtype:trojan-activity; sid:2013555; rev:4;) @@ -47903,7 +47984,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:bad-unknown; sid:2013658; rev:1;) # -alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"SomeOrganizationalUnit1"; classtype:policy-violation; sid:2013659; rev:2;) +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Self Signed SSL Certificate (SomeOrganizationalUnit)"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"SomeOrganizationalUnit"; classtype:policy-violation; sid:2013659; rev:3;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:"<html><body><script>\|0d 0a\|"; fast_pattern; nocase; content:"document.createElement"; within:50; content:"\|28\|String["; distance:0; pcre:"/,[0-9\.]+\\d,[a-z]\+\d+,[0-9\.]+\\d,[a-z]\+\d+,[0-9\.]+\\d,[a-z]\+\d+,/iR"; classtype:bad-unknown; sid:2013660; rev:3;) @@ -47918,7 +47999,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Exploit Pack Binary Load Request (server_privileges.php)"; flow:established,to_server; content:"/server_privileges.php?"; http_uri; pcre:"/\/server_privileges\.php\?[0-9a-f]{32}=\d+(&\w+)?$/U"; classtype:trojan-activity; sid:2013663; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013664; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013664; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013665; rev:2;) @@ -47993,9 +48074,6 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Shylock Module Server Response"; flow:established,from_server; content:"\|0d 0a 0d 0a 23 23 23\|ERROR_SRC\|23 23 23\|"; content:"\|23 23 23\|ERROR_SRC_END\|23 23 23\|"; distance:0; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st Checkin (5-12 Byte keyword)"; flow:to_server,established; dsize:<900; content:"\|00 00\|"; offset:7; depth:9; content:"\|00 00 78 9C\|"; distance:2; within:4; pcre:"/^[a-z0-9\x40\x2d\x5f]{5,12}..\x00\x00..\x00\x00\x78\x9c/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:trojan-activity; sid:2015624; rev:8;) - -# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; content:"/gate.php?hwid="; nocase; http_uri; content:"&pc="; nocase; http_uri; content:"&localip="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013748; rev:3;) # @@ -48164,11 +48242,17 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|no-ip\|03\|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2013743; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNMAIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; content:".no-ip.com\|0d 0a\|"; http_header; nocase; content:!"www.no-ip.com\|0d 0a\|"; http_header; nocase; classtype:bad-unknown; sid:2013744; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; content:".no-ip.com\|0d 0a\|"; http_header; nocase; content:!"www.no-ip.com\|0d 0a\|"; http_header; nocase; classtype:bad-unknown; sid:2013744; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1\|20\|HTTP/1.1\|0d 0a\|"; depth:300; classtype:bad-unknown; sid:2013745; rev:3;) +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Win32/Comisproc Checkin"; flow:to_server,established; content:".asp?mac="; offset:4; content:"&ver="; distance:0; content:" HTTP/1."; distance:0; content:"\|0d 0a\|User-Agent\|3a\| Google"; nocase; distance:1; within:20; reference:url,threatexpert.com/report.aspx?md5=9378ef5f2fb2e71e5eeed20f9f21d8dd; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Comisproc&ThreatID=-2147341910; reference:url,unixfreaxjp.blogspot.com.br/2012/11/ocjp-080-bootkitsoftbankbb.html; classtype:trojan-activity; sid:2017066; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-CSON Checkin - APT1 Related"; flow:to_server,established; content:"/Default.aspx?INDEX="; http_uri; pcre:"/\?INDEX=[A-Z]{10}$/U"; content:!"User-Agent\|3a\| Mozilla "; http_header; reference:url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,intelreport.mandiant.com/; reference:md5, 8dd6a7fe83bd9682187d956f160ffb47; classtype:trojan-activity; sid:2016460; rev:7;) + ##by Harry Tuttle alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 3"; flow:established,to_server; content:"/pch2.php?c="; http_uri; pcre:"/pch2.php?c=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013746; rev:6;) @@ -48272,6 +48356,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Scar.dvov Searchstar.co.kr related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/juso_return.php?mode="; http_uri; content:"&pluslook_p"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=07ed70b6e7775a510d725c9f032c70d8; classtype:trojan-activity; sid:2013781; rev:3;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Emold.C Checkin"; flow:to_server,established; content:"/ld.php?v="; http_uri; content:"&rs="; http_uri; content:"&n="; http_uri; pcre:"/\/ld\.php\?v\x3d\d+\x26rs\x3d((\d+\x2d){3})?\d+\x26n\x3d\d/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=49205774f0ff7605c226828e080238f3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FEmold.C; classtype:trojan-activity; sid:2016251; rev:3;) + +# #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent\|3A\| Mozilla/5.0 (Windows\|3B\| U\|3B\| Windows NT 6.0\|3B\| en-US\|3B\| rv\|3A\|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3;) # @@ -48308,7 +48395,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Dropper.Win32.Npkon Server Responce"; flow:from_server,established; content:"\|40 1f\|"; offset:1; depth:2; content:"\|01\|"; distance:1; within:1; content:"\|10 00 00 00\|"; distance:1; within:4; dsize:26; reference:url,www.threatexpert.com/report.aspx?md5=a7f4a7d08fa650a5f09a00519b944b0b; classtype:trojan-activity; sid:2013794; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; content:"User-Agent\|3A 20\|chrome/9.0\|0D 0A\|"; http_header; pcre:"/\x2e(png\|gif\|jpeg\|jpg)\x3fsv\x3d/U"; classtype:trojan-activity; sid:2013795; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"GET"; http_method; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; content:"User-Agent\|3a\| chrome/9.0"; http_header; pcre:"/(?:1\|2)\.(?:p(?:hp\|ng)\|jpe?g\|cgi\|gif)\?sv=\d{2,3}&tq=/Ui"; classtype:trojan-activity; sid:2013795; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type\|3A 20\|image/jpeg"; http_header; file_data; content:"\|54 48 00 F7 20 10 72 6F 67 52\|"; distance:0; content:"\|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53\|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:2;) @@ -48407,7 +48494,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .int.tf domain"; flow:to_server,established; content:".int.tf\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013829; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; content:"\|0D 0A\|Content-Disposition\|3a\| attachment\|3B\| filename=\|22\|"; http_header; content:"AntiVirus"; nocase; http_header; within:24; content:".exe"; http_header; within:24; http_header; classtype:trojan-activity; sid:2013827; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; content:"\|0D 0A\|Content-Disposition\|3a\| attachment\|3B\| filename=\|22\|"; http_header; content:"AntiVirus"; nocase; http_header; within:24; content:".exe"; http_header; within:24; classtype:trojan-activity; sid:2013827; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .edu.tf domain"; flow:to_server,established; content:".edu.tf\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013830; rev:1;) @@ -48518,7 +48605,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?tq="; http_uri; content:!"Accept\|3a\|"; http_header; pcre:"/\.(jpg\|png\|gif\|cgi)\?tq=/U"; classtype:trojan-activity; sid:2013865; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; http_uri; content:!"Accept\|3a\|"; http_header; pcre:"/\.(jpg\|png\|gif\|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; http_uri; content:!"Accept\|3a\|"; http_header; pcre:"/\.(jpg\|png\|gif\|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Bomgar Remote Assistance Tool Download"; flow:established,from_server; content:"filename="; http_header; content:"bomgar-scc-"; http_header; nocase; distance:0; fast_pattern; content:".exe"; http_header; nocase; distance:0; reference:url,www.bomgar.com; classtype:policy-violation; sid:2013867; rev:1;) @@ -48659,7 +48746,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN P2P Zeus Response From CnC"; flow:established,from_server; content:"\|E5 AA C0 31\|"; depth:4; content:"\|5B 74\|"; distance:5; within:2; content:"\|C1\|"; distance:4; within:2; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013912; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Usteal.B Checkin"; flow:to_server,established; content:"/ufr.php"; http_uri; content:"name="; http_client_body; content:"filename="; http_client_body; content:"UFR\|21\|"; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:trojan-activity; sid:2014616; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Usteal.B Checkin"; flow:to_server,established; content:"/ufr.php"; fast_pattern:only; http_uri; content:"name="; http_client_body; content:"filename="; http_client_body; content:"UFR\|21\|"; http_client_body; reference:url,www.threatexpert.com/report.aspx?md5=3155b146bee46723acc5637617e3703a; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanSpy%3AWin32%2FUsteal.B&ThreatID=-2147320862; classtype:trojan-activity; sid:2014616; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Request for utu.dat Likely Ponmocup checkin"; flow:to_server,established; content:"GET"; nocase; http_method; uricontent:"/update/utu.dat"; reference:url,www.threatexpert.com/report.aspx?md5=6fd8cdee653c0fde769e6c48d65e28bd; classtype:trojan-activity; sid:2013913; rev:2;) @@ -48722,7 +48809,7 @@ alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC Channel TXT Response"; content:"\|C0 0C 00 10 00 01\|"; content:"\|00 dd dc\|"; distance:4; within:3; content:!"spf"; distance:0; classtype:trojan-activity; sid:2013935; rev:2;) # -alert tcp any any -> $HOME_NET 443 (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,to_server; content:"SSH-"; depth:4; classtype:bad-unknown; sid:2013936; rev:3;) +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY SSH banner detected on TCP 443 likely proxy evasion"; flow:established,from_server; content:"SSH-"; depth:4; flowbits:set,is_ssh_server_banner; classtype:bad-unknown; sid:2013936; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Weevely PHP backdoor detected (system() function used)"; flow:to_server,established; content:"QHN5c3Rl"; fast_pattern; content:"Referer\|3a\| http\|3a\|//www.google.com/url?sa="; http_header; reference:url,bechtsoudis.com/security/put-weevely-on-the-your-nids-radar; classtype:web-application-activity; sid:2013937; rev:3;) @@ -48761,10 +48848,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud.A User-Agent (needit)"; flow:to_server,established; content:"User-Agent\|3a\| needit\|0d 0a\|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=1b1fff82c72277aff808291d53df7fd8; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FRimecud.A; classtype:trojan-activity; sid:2013951; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.EGZ Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/logo/go.php?id="; fast_pattern; http_uri; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|Host\|3a\| "; pcre:"/\/logo\/go\.php?id=\d{1,3}$/U"; reference:url,www.virustotal.com/file-scan/report.html?id=458ec5d5b3c1c02b6c64b360f82bcbf529f580c2d646b2ae161fc7dd2ea9927d-1321069787; classtype:trojan-activity; sid:2013946; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.EGZ Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/logo/go.php?id="; fast_pattern; http_uri; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|Host\|3a\| "; pcre:"/\/logo\/go\.php\?id=\d{1,3}$/U"; reference:url,www.virustotal.com/file-scan/report.html?id=458ec5d5b3c1c02b6c64b360f82bcbf529f580c2d646b2ae161fc7dd2ea9927d-1321069787; classtype:trojan-activity; sid:2013946; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.EGZ Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/b.php?id="; fast_pattern; http_uri; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|Host\|3a\| "; pcre:"/\/images\/b\.php?id=\d{1,3}$/U"; classtype:trojan-activity; sid:2013947; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.EGZ Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/images/b.php?id="; fast_pattern; http_uri; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|Host\|3a\| "; pcre:"/\/images\/b\.php\?id=\d{1,3}$/U"; classtype:trojan-activity; sid:2013947; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.TIBIA Checkin or Data Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/arq.php"; http_uri; fast_pattern; content:"User-Agent\|3a\| Mozilla/3.0 (compatible\|3b\| Indy Library)\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2013948; rev:3;) @@ -48854,7 +48941,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web File Browser file Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/webFileBrowser.php?"; nocase; http_uri; content:"act=download"; nocase; http_uri; content:"sortby=name"; nocase; http_uri; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,exploit-db.com/exploits/18070/; classtype:web-application-attack; sid:2013982; rev:2;) ##by StillSecure -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Win32/EoRezo Reporting"; flow:established,to_server; content:"/advert/getads?"; nocase; http_uri; content:"x_dp_id="; nocase; http_uri; content:"frame="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=b5708efc8b478274df4b03d8b7dbbb26; classtype:trojan-activity; sid:2013983; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Win32/EoRezo Reporting"; flow:established,to_server; content:"/advert/get"; nocase; http_uri; content:"_dp_id="; nocase; http_uri; content:"frame="; nocase; http_uri; pcre:"/\/advert\/get(ads\|kws)(\.cgi\?\|\?)[ex]_dp_id=/Ui"; reference:url,threatexpert.com/report.aspx?md5=b5708efc8b478274df4b03d8b7dbbb26; classtype:trojan-activity; sid:2013983; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zabbix popup.php SELECT FROM SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/popup.php?"; nocase; http_uri; content:"dstfrm="; nocase; http_uri; content:"dstfld1="; nocase; http_uri; content:"srctbl="; nocase; http_uri; content:"srcfld1="; nocase; http_uri; content:"only_hostid="; nocase; http_uri; content:"SELECT"; nocase; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,1337day.com/exploits/17081; classtype:web-application-attack; sid:2013984; rev:2;) @@ -48875,16 +48962,19 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla component img Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_img"; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95683/joomlaimg-lfi.txt; classtype:web-application-attack; sid:2013989; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"\|25 50 44 46 2d 31 2e 36\|"; distance:0; content:"\|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e\|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013991; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"\|0d 0a 09 09\|<field qwe=\|22\|213123\|22\| name=\|22\|qwe123\|22\|"; distance:0; content:"application/x-javascript"; distance:0; classtype:trojan-activity; sid:2013990; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"\|25 50 44 46 2d 31 2e 36\|"; distance:0; content:"\|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e\|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013991; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"\|25 50 44 46 2d 31 2e 36\|"; distance:0; content:"\|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e\|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013992; rev:3;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"\|25 50 44 46 2d 31 2e 36\|"; distance:0; content:"\|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e\|"; distance:0; content:"javascript"; nocase; distance:0; classtype:trojan-activity; sid:2013992; rev:4;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cacti Input Validation Attack 2"; flow:established,to_server; content:"GET"; http_method; content:"config_settings.php"; http_uri; pcre:"/config_settings\.php\?.=(http\|https)\x3a\//Ui"; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; classtype:web-application-activity; sid:2013993; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0\|0d 0a\|Host\|3a\|"; content:".exe"; http_uri; nocase; content:"User-Agent\|3a\| "; http_header; content:"\|0a 0a\|Connection\|3a\| close\|0d 0a 0d 0a\|"; http_header; classtype:trojan-activity; sid:2013994; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0\|0d 0a\|Host\|3a\|"; content:".exe"; http_uri; nocase; content:"User-Agent\|3a\| "; http_header; content:"\|0a 0a\|Connection\|3a\| close\|0d 0a 0d 0a\|"; http_header; classtype:trojan-activity; sid:2013994; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013995; rev:2;) @@ -48911,7 +49001,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake Variation of Mozilla 4.0 - Likely Trojan"; flow:established,to_server; content:"User-Agent\|3A 20\|Mozilla/4.0\|20 28\|compatible\|3B 29\|"; fast_pattern:20,17; http_header; content:!"BlueCoat"; nocase; http_header; classtype:trojan-activity; sid:2014002; rev:7;) # -alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Query for Sykipot C&C www.prettylikeher.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|prettylikeher\|03\|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:3;) +##alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query for Sykipot C&C www.prettylikeher.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|prettylikeher\|03\|com"; fast_pattern; distance:0; nocase; reference:cve,CVE-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014005; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Sykipot Checkin"; flow:established,from_client; content:"/kys_allow_get.asp?name="; http_uri; content:"&hostname="; http_uri; reference:cve,CVE-2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014006; rev:1;) @@ -48932,13 +49022,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getsock Command"; flow:established,to_server; content:"cmd=getsocks&login="; http_uri; classtype:trojan-activity; sid:2014011; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getload Command"; flow:established,to_server; content:"cmd=getload&login="; http_uri; classtype:trojan-activity; sid:2014012; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getload Command"; flow:established,to_server; content:"cmd=getload&login="; http_uri; reference:url,sophosnews.files.wordpress.com/2013/07/sophosszappanosplugxrevisitedintroducingsmoaler-rev1.pdf; reference:url,symantec.com/security_response/writeup.jsp?docid=2011-100515-1838-99&tabid=2; classtype:trojan-activity; sid:2014012; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1\|0d 0a\|Accept\|3a 20\|/\|0d 0a\|X-ID\|3a 20\|"; fast_pattern:23,6; content:"User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b 20\|MSIE"; distance:0; pcre:"/^X-ID\x3a\x20\d+$/H"; classtype:trojan-activity; sid:2014014; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1\|0d 0a\|Accept\|3a 20\|/\|0d 0a\|X-ID\|3a 20\|"; fast_pattern:23,6; pcre:"/^X-ID\x3a\x20\d+\r?$/Hm"; classtype:trojan-activity; sid:2014014; rev:8;) # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJAN LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0\|0D 0A\|Host\|3a\|"; content:".exe"; http_uri; nocase; content:"User-Agent\|3a\| "; http_header; content:"\|0D 0A\|Connection\|3a\| close\|0D 0A 0D 0A\|"; http_header; classtype:trojan-activity; sid:2014015; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TROJAN LDPinch Loader Binary Request"; flow:established,to_server; content:"HTTP/1.0\|0D 0A\|Host\|3a\|"; content:".exe"; http_uri; nocase; content:"User-Agent\|3a\| "; http_header; content:"\|0D 0A\|Connection\|3a\| close\|0D 0A 0D 0A\|"; http_header; classtype:trojan-activity; sid:2014015; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER JBoss jmx-console Probe"; flow:to_server,established; content:"HEAD"; http_method; content:"/jmx-console/HtmlAdaptor?"; http_uri; nocase; reference:cve,2010-0738; classtype:web-application-activity; sid:2014017; rev:1;) @@ -48974,12 +49064,18 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"\|2b 2f 3d 22 3b\|"; fast_pattern; content:"<<18\|7c\|"; within:500; content:"<<12\|7c\|"; within:13; content:"<<6\|7c\|"; within:13; classtype:bad-unknown; sid:2014027; rev:3;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Xtrat.A Checkin"; flow:established,to_server; content:".functions HTTP/1."; fast_pattern; content:!"Referer\|3a\|"; distance:0; pcre:"/^[^\r\n]+\/\d+\.functions HTTP\/1\./"; content:!"Host\|3a\| microsoft.com\|0d 0a\|"; reference:url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092; classtype:trojan-activity; sid:2016275; rev:14;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely CryptMEN FakeAV Download vclean"; flow:established,from_server; content:"filename=\|22\|vclean"; nocase; http_header; content:".exe"; nocase; http_header; within:20; classtype:trojan-activity; sid:2014028; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe"; flow:established,to_server; content:"/yahoo.com"; fast_pattern; http_uri; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2014029; rev:2;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Vundo.OD Checkin"; flow:to_server,established; content:"/get.php?"; http_uri; content:"id="; http_uri; content:"key="; http_uri; content:"&os="; http_uri; content:"&av="; http_uri; content:"&vm="; http_uri; content:"&al="; http_uri; content:"&p="; http_uri; content:"&z="; http_uri; content:!"User-Agent\|3a\|"; http_header; pcre:"/\/get\.php\?(id\|key)\x3d/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=8840a0d9d7f4dba3953ccb68b17b2d6c; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FVundo.OD; classtype:trojan-activity; sid:2016424; rev:4;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Rebate Informer User-Agent (REBATEINF)"; flow: established,to_server; content:"User-Agent\|3a\| REBATEINF"; http_header; fast_pattern:only; reference:url,www.rebategiant.com; classtype:trojan-activity; sid:2014030; rev:1;) # @@ -49052,6 +49148,9 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent\|3a\| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:1;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Hilgild!gen.A CnC Communication"; flow:established,to_server; content:"Y\|00\|M\|00\|S\|00\|G\|00 2e 00 2e 00 2e 00 2e 00\|"; depth:16; content:"\|f6 f6 f6 f6 f6 f6 f6 f6 f6\|"; dsize:1024; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014055; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive to CnC"; flow:established,to_server; content:"\|13 cb df 56 6f f3 20 08 c2 f1 ab d3 6f 75 56 a9\|"; offset:16; depth:16; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014056; rev:2;) # @@ -49217,6 +49316,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32-Dynamer.dtc Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/total_visitas.php"; http_uri; content:".php HTTP/1.1\|0d 0a\|Host\|3a\| "; content:!"User-Agent\|3a\| "; http_header; reference:url,microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Dynamer!dtc; reference:md5,989ba48e0a9e39b4b6fc5c6bf400c41b; classtype:trojan-activity; sid:2014113; rev:3;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Likseput.A Checkin"; flow:to_server,established; content:"User-Agent\|3a\| 5\|2e\|"; http_header; content:"\|5c\|"; within:64; http_header; content:"Host\|3a\| "; http_header; distance:0; content:!"\|0d 0a\|"; distance:-6; within:2; http_header; pcre:"/User\-Agent\x3a\x205\.[0-2]\x20\d\d\x3a\d\d\x20/Hi"; reference:url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:trojan-activity; sid:2016450; rev:2;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf/Troxen/Zema Reporting 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?m="; http_uri; content:"&s="; http_uri; content:"&v="; http_uri; content:"User-Agent\|3a\| build"; http_header; pcre:"/\.php\?m=[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}&[vs]=/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014114; rev:3;) # @@ -49235,13 +49337,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lici Initial Checkin"; flow:established,to_server; content:".php?email="; http_uri; content:"&lici="; http_uri; content:"&ver="; http_uri; content:"HTTP/1.0"; content:!"User-Agent\|3A\|"; http_header; reference:md5,2f4d35e797249e837159ff60b827c601; classtype:trojan-activity; sid:2014119; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Eorezo-B Checkin"; flow:established,to_server; content:"x-company\|3a\| "; http_header; content:"User-Agent\|3A 20\|EoAgence-"; http_header; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:trojan-activity; sid:2014120; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company\|3a\| "; http_header; content:"User-Agent\|3A 20\|EoAgence-"; http_header; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:trojan-activity; sid:2014120; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Nuclear Checkin"; flow:established,to_server; content:".htm"; http_uri; content:"Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Win32)"; http_header; content:"HOST\|3A 20\|"; http_header; reference:md5,bd4af162f583899eeb6ce574863b4db6; classtype:trojan-activity; sid:2014121; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenCandy Adware Checkin"; flow:established,to_server; content:"/?clientv="; http_uri; content:"&cltzone="; http_uri; content:"&mstime="; http_uri; content:"&os="; http_uri; content:"&product_key="; http_uri; content:"opencandy.com"; http_header; classtype:trojan-activity; sid:2014122; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenCandy Adware Checkin"; flow:established,to_server; content:"clientv="; http_uri; content:"&cltzone="; http_uri; content:"&mstime="; http_uri; content:"&os="; http_uri; content:"&product_key="; http_uri; content:"opencandy.com"; fast_pattern; http_header; classtype:trojan-activity; sid:2014122; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Help and Control Panel Exploit Request"; flow:established,to_server; content:"/cph2.php?c="; http_uri; reference:url,jsunpack.jeek.org/?report=2b1d42ba5b47676db4864855ac239a73fb8217ff; classtype:trojan-activity; sid:2014125; rev:3;) @@ -49295,7 +49397,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; content:"/inst.php?"; http_uri; content:"User-Agent\|3a\| psi"; http_header; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:trojan-activity; sid:2014262; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; content:"GET"; http_method; content:"/?id="; fast_pattern; http_uri; depth:5; content:"&msg="; http_uri; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; content:"GET"; http_method; content:"?id="; http_uri; content:"&msg="; http_uri; distance:13; within:5; pcre:"/\?id=[0-9]{13}&msg=[^&]+$/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS LOIC Javascript DDoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"/?id="; fast_pattern; http_uri; depth:5; content:"&msg="; http_uri; distance:13; within:5; pcre:"/^\/\?id=[0-9]{13}&msg=/U"; threshold: type both, track by_src, count 5, seconds 60; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014141; rev:3;) @@ -49304,6 +49406,18 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; within:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:3;) # +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Esf Keepalive to CnC"; flow:established,to_server; content:"\|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62\|"; offset:16; depth:16; dsize:48; reference:md5,e6ca06e9b000933567a8604300094a85; classtype:trojan-activity; sid:2014143; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED PoisonIvy.Eks Keepalive to CnC"; flow:established,to_server; content:"\|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8\|"; offset:16; depth:16; dsize:48; reference:md5,9a494e7a48436e6defcb44dd6f053b33; classtype:trojan-activity; sid:2014144; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Ehy Keepalive to CnC"; flow:established,to_server; content:"\|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27\|"; offset:16; depth:16; dsize:48; reference:md5,d2311b7208d563ac59c9114f5d422441; classtype:trojan-activity; sid:2014145; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Win32/Spy.Banker Reporting Via SMTP"; flow:established,to_server; content:"\|3A 3A 3A 3A 3A 28 20\|Cliente"; content:"Sistem S/"; distance:0; content:"Versao S/"; distance:0; classtype:trojan-activity; sid:2014146; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Landing Page Request"; flow:established,to_server; content:".php?s="; http_uri; pcre:"/\.php\?s=[0-9a-fA-F]{25}$/U"; flowbits:set,et.exploitkitlanding; reference:url,xylibox.blogspot.com/2012/01/sakura-exploit-pack-10.html; classtype:bad-unknown; sid:2014147; rev:1;) # @@ -49346,13 +49460,13 @@ ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:established,to_server; content:"/send.php?a_id="; http_uri; content:"&telno="; http_uri; content:"&m_addr="; http_uri; content:"&usr_id="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; classtype:trojan-activity; sid:2014161; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:to_server,established; content:"/send.php?a_id="; http_uri; content:"&telno="; fast_pattern:only; http_uri; content:"&m_addr="; http_uri; content:"Android"; http_header; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; reference:url,anubis.iseclab.org/?action=result&task_id=1ba82b938005acea4ddefc8eff1f4db06; reference:md5,cf9ba4996531d40402efe268c7efda91; reference:md5,537f190d3d469ad1f178024940affcb5; classtype:trojan-activity; sid:2014161; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"?pr="; http_uri; fast_pattern; content:"User-Agent\|3A 20\|chrome/9.0"; http_header; pcre:"/\x2E(png\|gif\|jpeg)\x3Fpr\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\|3a\| chrome/9.0"; http_header; pcre:"/\x2E(?:p(?:hp\|ng)\|jpe?g\|cgi\|gif)\x3F(?:v/d{1,2}\|pr)\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; content:"/gate.php?username="; http_uri; content:"&country="; http_uri; content:"&OS="; http_uri; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:trojan-activity; sid:2014164; rev:1;) @@ -49376,7 +49490,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related"; flow:established,to_server; content:".su\|0d 0a\|"; fast_pattern:only; http_header; pcre:"/Host\x3A\x20[^\r\n]\x2Esu\x0D\x0A/H"; reference:url,www.abuse.ch/?p=3581; classtype:trojan-activity; sid:2014170; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious HTTP Request to .kwik.to/i.html"; flow:established,to_server; content:"kwik.to\|0d 0a\|"; http_header; content:"/i.html"; http_uri; depth:7; fast_pattern; classtype:bad-unknown; sid:2014171; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing"; flow:established,to_server; urilen:7; content:"/i.html"; http_uri; depth:7; fast_pattern; content:"Referer\|3a\| "; http_header; content:!"\|0d 0a\|"; http_header; within:100; content:"\|0d 0a\|"; distance:0; http_header; classtype:bad-unknown; sid:2014171; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN ClickCounter Connectivity Check"; flow:established,to_server; content:" clickme=1\|0d 0a\|"; http_header; content:"clickme=1"; http_cookie; classtype:trojan-activity; sid:2014172; rev:1;) @@ -49430,22 +49544,22 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014189; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014189; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OpenTrio User-Agent (Open3)"; flow:established,to_server; content:"User-Agent\|3A 20\|Open3"; http_header; classtype:trojan-activity; sid:2014190; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=\|22\|visibility\|3a\|hidden\|3b 22\|"; fast_pattern:only; pcre:"/(-?\d+\x3a-?\d+\x3a){100,}/O"; classtype:trojan-activity; sid:2014194; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit JavaScript colon string splitting"; flow:established,from_server; content:"<html><body><pre style=\|22\|visibility\|3a\|hidden\|3b 22\|"; fast_pattern:only; pcre:"/(-?\d+\x3a-?\d+\x3a){100}/"; classtype:trojan-activity; sid:2014194; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:3;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/118GotYourNo Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/count"; http_uri; content:"appTitle="; http_client_body; content:"&strLink="; distance:0; content:"&proFirstTime="; distance:0; content:"&proLastTime="; distance:0; content:"&appName="; distance:0; content:"&KillList="; distance:0; classtype:trojan-activity; sid:2014191; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/118GotYourNo Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/count"; http_uri; content:"appTitle="; http_client_body; content:"&strLink="; distance:0; http_client_body; content:"&proFirstTime="; distance:0; http_client_body; content:"&proLastTime="; distance:0; http_client_body; content:"&appName="; distance:0; http_client_body; content:"&KillList="; distance:0; http_client_body; classtype:trojan-activity; sid:2014191; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/MediaGet Checkin"; flow:established,to_server; content:"<mediagetInstaller statVersion="; http_client_body; content:"mediagetIsAlreadyInstalled="; http_client_body; distance:0; classtype:trojan-activity; sid:2014192; rev:4;) @@ -49460,6 +49574,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"\|0D 0A\|Cookie\|3a\| cid="; pcre:"/^\d{4}\r$/Rm"; classtype:trojan-activity; sid:2014198; rev:6;) # +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Exploiting IEPeers"; flow:established,to_client; content:"booom["; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; content:"booom["; distance:0; reference:url,www.kahusecurity.com/2011/cve-2011-2140-caught-in-the-wild/; reference:cve,2010-0806; classtype:trojan-activity; sid:2014199; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato/Cleaman Checkin"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern; content:"GET"; http_method; pcre:"/\?rnd=\d{5,7}\x20HTTP1\/1\.[01]\x0d\x0aHost\x3a\x20/"; content:!"User-Agent\|3a\|"; http_header; content:!"Accept\|3a\|"; http_header; reference:md5,1d26f4c1cfedd3d34b5067726a0460b0d; reference:md5,45b3b6fcb666c93e305dba35832e1d42; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FCleaman.G; classtype:trojan-activity; sid:2014200; rev:3;) # @@ -49490,6 +49607,9 @@ alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Sykipot SSL Certificate serial number detected"; flow:established,to_client; content:"\|16\|"; content:"\|0b\|"; within:8; content:"\|00 ec 32 09 67 c9 34 3f 50\|"; within:30; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014209; rev:3;) # +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Sykipot SSL Certificate subject emailAddress detected"; flow:established,to_client; content:"\|16\|"; content:"\|0b\|"; within:8; content:"marry.smith@ltu.edu"; within:400; reference:url,labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/; classtype:trojan-activity; sid:2014210; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MSUpdater alt checkin to CnC"; flow:established,to_server; content:"/microsoft/errorpost/default/connect.aspx?ID="; http_uri; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014211; rev:1;) # @@ -49511,7 +49631,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Delf/Troxen/Zema controller delivering clickfraud instructions"; flow:established,to_client; file_data; content:"<md5>"; within:5; content:"</md5><url>"; distance:16; within:11; classtype:trojan-activity; sid:2014217; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC sk1 and bn1 post parameters"; flow:established,to_server; content:"POST"; nocase; http_method; content:"bn1="; depth:4; http_client_body; fast_pattern; content:"&sk1="; http_client_body; pcre:"/&sk1=[A-F0-9]{30,}/P"; classtype:trojan-activity; sid:2014218; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC sk1 and bn1 post parameters"; flow:established,to_server; content:"POST"; nocase; http_method; content:"bn1="; depth:4; http_client_body; fast_pattern; content:"&sk1="; http_client_body; pcre:"/&sk1=[A-F0-9]{30}/P"; classtype:trojan-activity; sid:2014218; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent\|3a 20\|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:trojan-activity; sid:2014219; rev:2;) @@ -49547,7 +49667,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32.Idicaf/Atraps"; flow:to_server,established; dsize:780; content:"\|00 00 00 00 00 00 00 00\|"; depth:8; content:"\|00 00 00 00\|"; distance:4; within:4; content:"\|00 9C 00 00 00\|"; distance:31; within:5; fast_pattern; content:"\|00 00 00\|"; distance:1; within:3; content:"\|00 00 00\|"; distance:1; within:3; content:"\|00 00\|"; distance:2; within:2; content:"\|00\|"; distance:172; within:1; reference:url,www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf; classtype:trojan-activity; sid:2014228; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NfLog Checkin"; flow:to_server,established; content:"/NfLog/Nfile.asp"; http_uri; content:"GetFile"; http_client_body; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:trojan-activity; sid:2014229; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN NfLog Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/Nfile.asp"; fast_pattern:only; http_uri; content:"Content-Length\|3a\| 7\|0d 0a\|"; http_header; content:"GetFile"; depth:7; http_client_body; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:trojan-activity; sid:2014229; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Karagany/Kazy Obfuscated Payload Download"; flow:established,to_client; content:"Content-Disposition\|3a\| "; http_header; content:"windows-update-"; fast_pattern; http_header; distance:0; content:".exe"; distance:0; http_header; file_data; content:!"MZ"; within:2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FKaragany.I; reference:url,www.virustotal.com/file/6c7ae03b8b660826f0c58bbec4208bf03e704201131b3b5c5709e5837bfdd218/analysis/1334672726/; classtype:trojan-activity; sid:2014230; rev:4;) @@ -49562,19 +49682,19 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; content:"User-Agent\|3a\| asafaweb.com\|0d 0a\|"; http_header; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"\|20\|HTTP/1.0\|0d 0a\|Host\|3a 20\|"; content:"Accept\|3a 20\|/\|0d 0a\|"; http_header; content:"Connection\|3a\| close\|0d 0a\|User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 5.0"; http_header; content:"\|3b\| Windows 98)"; within:13; fast_pattern; http_header; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014234; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"\|20\|HTTP/1.0\|0d 0a\|Host\|3a 20\|"; content:"Accept\|3a 20\|/\|0d 0a\|"; http_header; content:"Connection\|3a\| close\|0d 0a\|User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 5.0"; http_header; content:"\|3b\| Windows 98)"; within:13; fast_pattern; http_header; flowbits:set,ET.Fareit.chk; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014234; rev:9;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment\|3b\|"; http_header; content:"info.exe"; http_header; distance:0; content:"\|0d 0a\|"; http_header; within:3; classtype:bad-unknown; sid:2014235; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment\|3b\|"; http_header; content:"info."; fast_pattern; http_header; distance:0; content:"\|0d 0a\|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]?info\.(dll\|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014235; rev:7;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment\|3b\|"; http_header; content:"contacts.exe"; fast_pattern; http_header; distance:0; content:"\|0d 0a\|"; within:3; http_header; classtype:bad-unknown; sid:2014236; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - contacts.exe"; flow:established,to_client; content:"attachment\|3b\|"; http_header; content:"contacts."; fast_pattern; http_header; distance:0; content:"\|0d 0a\|"; within:6; http_header; pcre:"/attachment\x3b[^\r\n]?contacts\.(dll\|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014236; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - calc.exe"; flow:established,from_server; content:"attachment\|3b\|"; http_header; content:"calc.exe"; http_header; distance:0; content:"\|0d 0a\|"; http_header; within:3; classtype:bad-unknown; sid:2014237; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment\|3b\|"; http_header; content:"about.exe"; http_header; distance:0; content:"\|0d 0a\|"; within:3; http_header; classtype:bad-unknown; sid:2014238; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - about.exe"; flow:established,to_client; content:"attachment\|3b\|"; http_header; content:"about."; http_header; distance:0; content:"\|0d 0a\|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]?about\.(dll\|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014238; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN W32.Duptwux/Ganelp FTP Username - onthelinux"; flow:established,to_server; content:"USER onthelinux"; depth:15; classtype:trojan-activity; sid:2014239; rev:1;) @@ -49649,12 +49769,15 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Pasta.IK Checkin"; flow:established,to_server; content:"/data/index.asp?act="; http_uri; content:"&ver=Ver"; http_uri; content:"&a="; http_uri; reference:md5,1a13d56365e864aba54967d4745ab660; classtype:trojan-activity; sid:2014263; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfLog/NfStart.asp?ClientId="; http_uri; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:trojan-activity; sid:2014266; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.NfLog Checkin (TTip)"; flow:to_server,established; content:"/NfStart.asp?ClientId="; http_uri; nocase; reference:url,contagiodump.blogspot.com/2012/02/feb-9-cve-2011-1980-msoffice-dll.html; classtype:trojan-activity; sid:2014266; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Query for Known Hostile test.3322.org.cn Domain"; content:"\|01 00 00 01 00 00 00 00 00\|"; depth:9; offset:2; content:"test\|04\|3322\|03\|org\|02\|cn"; fast_pattern; nocase; distance:0; reference:url,www.sans.org/reading_room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware_33814; reference:md5,e4afcee06ddaf093982f80dafbf9c447; classtype:trojan-activity; sid:2014267; rev:1;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.RShot Checkin"; flow:established,to_server; content:"connected#"; depth:10; content:"#Windows "; content:"##"; distance:0; dsize:<120; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:trojan-activity; sid:2014268; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.RShot HTTP Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"\|3B\| name=\|22\|bot_id\|22 0D 0A 0D 0A\|"; fast_pattern; content:" name=\|22\|os_version\|22 0D 0A 0D 0A\|"; reference:md5,c0aadd5594d340d8a4909d172017e5d0; classtype:trojan-activity; sid:2014269; rev:2;) # @@ -49676,10 +49799,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Tax Landing Page with JavaScript Attack"; flow:established,from_server; content:"Please wait, till tax confirmation is ready."; fast_pattern:only; content:"try{"; content:"catch("; classtype:attempted-admin; sid:2014274; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rovnix Status Report to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/data.php?version="; http_uri; content:"&user="; http_uri; content:"&server="; http_uri; content:"&id="; http_uri; content:"&type="; http_uri; content:"&name="; http_uri; pcre:"/\/data\.php\?version=\d+&user=\d+&server=\d+&id=\d+&type=\d+&name=/U"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014275; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rovnix Activity"; flow:established,to_server; content:".php?version="; http_uri; fast_pattern:only; content:"&user="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{31,32}&/Ui"; content:!"Referer\|3a 20\|"; http_header; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014275; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014276; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:trojan-activity; sid:2014276; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query for try2check.me Carder Tool"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|09\|try2check\|02\|me\|00\|"; fast_pattern; nocase; reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort; classtype:bad-unknown; sid:2014277; rev:2;) @@ -49694,7 +49817,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 6"; flow:established,to_server; content:"/ap1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014280; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014281; rev:3;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"Mlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014281; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Download Secondary Request ?pagpag"; flow:established,to_server; content:".php?pagpag="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014282; rev:2;) @@ -49715,7 +49838,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a 3322.org.cn Domain"; flow:to_server,established; content:"Host\|3a\| "; http_header; content:".3322.org.cn\|0D 0A\|"; within:50; http_header; classtype:bad-unknown; sid:2014289; rev:1;) ##by Pedro Marinho -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Infostealer.Banprox Proxy.pac Download"; flow:from_server,established; file_data; content:"FindProxyForURL"; distance:0; content:"\|22\|PROXY"; distance:0; content:"(shExpMatch(host, "; distance:0; content:"(shExpMatch(host, "; distance:0; content:"(shExpMatch(host, "; distance:0; content:"(shExpMatch(host, "; distance:0; content:"hsbc"; reference:md5,3baae632d2476cbd3646c5e1b245d9be; classtype:trojan-activity; sid:2014435; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Infostealer.Banprox Proxy.pac Download"; flow:from_server,established; file_data; content:"FindProxyForURL"; distance:0; content:"\|22\|PROXY"; distance:0; content:"(shExpMatch(host, "; distance:0; content:"(shExpMatch(host, "; distance:0; content:"(shExpMatch(host, "; distance:0; content:"(shExpMatch(host, "; distance:0; content:".com.br"; pcre:"/(?:www\.(?:(?:hsbc(?:pr(?:ivatebank\|emier)\|ba(?:merindus\|nk))?\|b(?:an(?:cohsbc\|espa)\|radesco(?:prime)?)\|santander(?:banespa\|net)?)\.com\.br\|c(?:(?:aixa(?:economica(?:federal)?)?\.gov\|ef\.(?:com\|gov))\.br\|redicard\.com))\|(?:(?:hsbc(?:pr(?:ivatebank\|emier)\|ba(?:merindus\|nk))?\|b(?:an(?:cohsbc\|risul)\|radescoprime)\|santander)\.com\|c(?:aixa(?:economica(?:federal)?)?\.gov\|ef\.(?:com\|gov)))\.br\|\(?:linhadefensiva\\|hsbc\))/"; reference:md5,3baae632d2476cbd3646c5e1b245d9be; reference:md5,ace343a70fbd26e79358db4c27de73db; classtype:trojan-activity; sid:2014435; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.PEx.942728546 Checkin"; flow:established,to_server; content:".com.exe"; http_uri; fast_pattern; content:"User-Agent\|3a\| GetRight/"; http_header; reference:md5,25e9e3652e567e70fba00c53738bdf74; reference:url,threatcenter.crdf.fr/?More&ID=74977&D=CRDF.Backdoor.Win32.PEx.942728546; classtype:trojan-activity; sid:2014290; rev:1;) @@ -49745,19 +49868,25 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FlashBack Mac OSX malware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/aaupdate/"; fast_pattern; http_uri; content:"User-Agent\|3a\| "; http_header; content:!"Mozilla"; within:7; http_header; content:!"\|0d 0a\|"; within:124; http_header; reference:url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/; classtype:trojan-activity; sid:2014596; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_0"; http_header; content:!"9"; within:1; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:12;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_"; http_header; content:!"51"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:24;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; content:"/stat.php?w="; http_uri; content:"&i="; http_uri; content:"&a="; http_uri; content:"User-Agent\|3A\| Opera/6"; http_header; content:"\|3B\| LangID="; http_header; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:trojan-activity; sid:2014604; rev:2;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Spy.Win32.Agent.byhm User-Agent (EMSCBVDFRT)"; flow:to_server,established; content:"User-Agent\|3a\| EMSCBVDFRT\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2016907; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Javascript 171 charcodes >= 48"; flow:established,from_server; content:"G<H6>F=7.49B7F"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014298; rev:1;) + +# ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:trojan-activity; sid:2014300; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment\|3b\|"; http_header; content:"readme.exe"; http_header; distance:0; content:"\|0d 0a\|"; http_header; within:3; classtype:bad-unknown; sid:2014301; rev:6;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - readme.exe"; flow:established,from_server; content:"attachment\|3b\|"; http_header; content:"readme."; fast_pattern; http_header; distance:0; content:"\|0d 0a\|"; http_header; within:6; pcre:"/attachment\x3b[^\r\n]?readme\.(dll\|exe)[\x22\x27]?\r?$/Hmi"; classtype:bad-unknown; sid:2014301; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious HTTP Referrer C Drive Path"; flow:established,to_server; content:"Referer\|3A 20\|res\|3A 2F 2F\|c\|3A 5C\|"; nocase; http_header; reference:md5,8ef81f2555725f7eeae00b3e31229e0e; classtype:trojan-activity; sid:2014302; rev:1;) @@ -49784,10 +49913,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegSubsDat Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"000000/log"; http_uri; fast_pattern:only; pcre:"/\/\d\d[A-F0-9]000000\/log$/U"; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014310; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegSubsDat Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"0000/log"; http_uri; fast_pattern:only; pcre:"/\/\d\d[A-F0-9]{4}0000\/log$/U"; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014310; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RegSubsDat Checkin Off Ports"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"000000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]000000\/log /"; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014311; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RegSubsDat Checkin Off Ports"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"0000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]{4}0000\/log /"; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014311; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; file_data; content:"\|3B 20\|Ini download file modue"; nocase; distance:0; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]\x2E(dll\|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:1;) @@ -49874,10 +50003,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware Checkin"; flow:established,to_server; content:"/inst.asp?d="; http_uri; content:"&cl="; http_uri; content:"&l="; http_uri; content:"&e="; http_uri; content:"&v="; http_uri; content:"&uid="; http_uri; content:"&time="; http_uri; content:"&win="; http_uri; content:"&ac="; http_uri; content:"&ti="; http_uri; content:"&xv="; http_uri; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014339; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware User Agent"; flow:established,to_server; content:"User-Agent\|3A 20\|zz_gv "; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014340; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance Adware User Agent"; flow:established,to_server; content:"User-Agent\|3a\| zz_"; http_header; pcre:"/^User-Agent\x3a zz_[a-z0-9]{1,3} [0-9]\.[0-9]{1,2}\.[0-9]{2,4}/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014340; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent Toys File"; flow:established,to_server; content:"User-Agent\|3A 20\|toys\|3A 3A\|file"; http_header; reference:md5,22d3165c0e80ba50bc6a42a2e82b2874; classtype:trojan-activity; sid:2014341; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Installshield One Click Install User-Agent Toys File"; flow:established,to_server; content:"User-Agent\|3A 20\|toys\|3A 3A\|file"; http_header; reference:md5,22d3165c0e80ba50bc6a42a2e82b2874; classtype:trojan-activity; sid:2014341; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; content:"User-Agent\|3A 20\|SnadBoy"; http_header; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:2;) @@ -49910,7 +50039,7 @@ ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014351; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; content:"CHAR("; http_uri; nocase; pcre:"/CHAR$[0-9]{2,3}$char$[^\x0d\x0a\x20]{98,}/Ui"; classtype:attempted-admin; sid:2014352; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; content:"CHAR("; http_uri; nocase; pcre:"/CHAR\([0-9]{2,3}$char\([^\x0d\x0a\x20]{98}/Ui"; classtype:attempted-admin; sid:2014352; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE W32/MediaGet.Adware Installer Download"; flow:established,to_client; content:"Set-Cookie\|3A\|MediagetDownloaderInfo=installer"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:trojan-activity; sid:2014353; rev:1;) @@ -49940,7 +50069,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=\|22\|http\|3a\|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014362; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS Lookup of Algorithm Generated Zeus CnC Domain (DGA) in .ru"; byte_test:1,!&,0xF8,2; content:"\|02\|ru\|00\|"; fast_pattern:only; pcre:"/[a-z0-9]{33,}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014363; rev:2;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS Lookup of Algorithm Generated Zeus CnC Domain (DGA)"; byte_test:1,!&,0xF8,2; content:"\|02\|ru\|00\|"; pcre:"/[a-z0-9]{33,}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014363; rev:6;) # alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"\|03 00\|"; depth:2; content:"\|7f 65 82 01 94\|"; distance:24; within:5; content:"\|30 19\|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2;) @@ -49973,7 +50102,7 @@ alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"\|02\|eu\|00\|"; fast_pattern:only; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014372; rev:4;) # -alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"\|02\|eu\|00\|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014376; rev:1;) +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"\|02\|ru\|00\|"; fast_pattern; pcre:"/[^a-z0-9\-\.][a-z]{32,48}\x02ru\x00\x00/"; classtype:trojan-activity; sid:2014376; rev:3;) # alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Zeus .ru CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"\|02\|ru\|00\|"; fast_pattern:only; pcre:"/[^a-z0-9\-\.][a-z0-9]{32,48}\x02ru\x00\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014373; rev:1;) @@ -50063,10 +50192,10 @@ alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/><title>Keystrokes - iKeyMonitor</title><style "; reference:url,moreinfo.thebigboss.org/moreinfo/depiction.php?file=ikeymonitorDp; classtype:policy-violation; sid:2014406; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; content:"visited=TRUE"; fast_pattern; content:"visited=TRUE"; http_cookie; content:"mutex="; http_cookie; classtype:bad-unknown; sid:2014407; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Set"; flow:established,from_server; content:"visited=TRUE"; fast_pattern; content:"visited=TRUE"; http_cookie; content:"mutex="; http_cookie; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014407; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"visited=TRUE\|3b\| mutex="; http_header; content:"visited=TRUE\|3b\| mutex="; http_cookie; depth:20; classtype:bad-unknown; sid:2014408; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"ited=TRUE\|3b\| mutex="; fast_pattern:only; content:"visited=TRUE\|3b\| mutex="; http_cookie; depth:20; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014408; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"= HTTP/1.1\|0D 0A\|Host\|3a\| "; fast_pattern; content:!"User-Agent\|3a\| "; http_header; content:"\|0D 0A\|Cache-Control\|3a\| no-cache\|0D 0A 0D 0A\|"; content:!"&"; http_uri; content:!"."; http_uri; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:5;) @@ -50075,13 +50204,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Ixeshe"; flow:to_server,established; content:"User-Agent\|3a\| User-Agent\|3a\| "; nocase; http_header; fast_pattern:only; content:"/ym/Attachments?YY="; nocase; http_uri; reference:url,blog.spiderlabs.com/2012/03/dirty-rat.html; classtype:trojan-activity; sid:2014410; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/pony/gate.php"; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible\|3b\| MSIE 5.0\|3b\| Windows 98)"; http_header; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014411; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"\|0d 0a\|Content-Encoding\|3a\| binary\|0d 0a\|"; http_header; fast_pattern:8,20; content:" MSIE "; http_header; content:!"Referer\|3a 20\|"; http_header; content:" HTTP/1.0\|0d 0a\|"; pcre:"/\r\nUser-Agent\x3a\x20[^\r\n]+\sMSIE\s[^\r\n]+\r\n(\r\n)?$/H"; flowbits:set,ET.Fareit.chk; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014411; rev:7;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done\|3b\|"; content:"client=done\|3b\|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:1;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done\|3b\|"; content:"client=done\|3b\|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; content:"client=done"; http_cookie; depth:11; classtype:bad-unknown; sid:2014413; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; content:"client=done"; http_cookie; depth:11; classtype:bad-unknown; sid:2014413; rev:3;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole Landing Page applet param window.document"; flow:established,from_server; file_data; content:"<applet"; within:100; content:"<param"; distance:0; content:"window.document"; distance:0; classtype:bad-unknown; sid:2014414; rev:1;) @@ -50156,13 +50285,13 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment\|3b\|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe\|0d 0a\|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014441; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested - .php?=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.[a-f].$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Requested - .php?=16HexCharacters in http_uri"; flow:to_server,established; urilen:>23; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,7}=[a-f0-9]{16}$/U"; pcre:"/=.[a-f].$/U"; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014442; rev:9;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit"; flow:from_server,established; flowbits:isset,et.exploitkitlanding; file_data; content:"<applet"; classtype:bad-unknown; sid:2014443; rev:4;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Recieved - applet and flowbit"; flow:from_server,established; flowbits:isset,et.exploitkitlanding; file_data; content:"<applet"; classtype:bad-unknown; sid:2014443; rev:5;) #Duplicate of 2013436 disabled #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Page redirecting to driveby"; flow:from_server,established; file_data; content:"/Home/index.php\" width=1 height=1 scrolling=no></iframe>"; distance:0; classtype:bad-unknown; sid:2014444; rev:5;) @@ -50171,6 +50300,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack Payload"; flow:established,to_server; content:".php"; http_uri; content:"quote="; distance:0; http_uri; content:"tid=";http_uri; content:"fid="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014445; rev:6;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Andromeda Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; fast_pattern:12,13; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})(?:[A-Za-z0-9+/]{2}==\|[A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{4})([\r\n](?:[A-Za-z0-9+/]{4})(?:[A-Za-z0-9+/]{2}==\|[A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{4}))?$/Pi"; reference:md5,50a538221e015d77cf4794ae78978ce2; classtype:trojan-activity; sid:2016223; rev:6;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Dynamic DNS Exploit Pack Landing Page /de/sN"; flow:established,to_server; content:"/de/s"; http_uri; depth:5; urilen:6; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014446; rev:2;) # @@ -50375,7 +50507,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection"; flow:established,to_server; content:"/stat_d/"; http_uri; pcre:"/\/stat_d\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014522; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection 2"; flow:established,to_server; content:"/stat_u/"; http_uri; pcre:"/\/stat_u\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2804759; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting successful infection 2"; flow:established,to_server; content:"/stat_u/"; http_uri; pcre:"/\/stat_u\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014523; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OSX/Flashback.K/I reporting failed infection"; flow:established,to_server; content:"/stat_n/"; http_uri; pcre:"/\/stat_n\/$/U"; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml; reference:url,f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml; reference:url,vms.drweb.com/virus/?i=1816029; classtype:trojan-activity; sid:2014524; rev:2;) @@ -50483,6 +50615,9 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; classtype:bad-unknown; sid:2014549; rev:1;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32/Mutopy.A Checkin"; flow:to_server,established; content:"/protocol.php?p="; fast_pattern:only; http_uri; content:"&d="; http_uri; pcre:"/&d=.{44}$/U"; reference:md5,2a0344bac492c65400eb944ac79ac3c3; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FMutopy.A&ThreatID=-2147312217; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/header-spoofing-hides-malware-communication/; classtype:trojan-activity; sid:2016963; rev:4;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2;) # @@ -50516,7 +50651,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf\|2f\|x\|2f\|Payload"; distance:0; classtype:trojan-activity; sid:2014560; rev:4;) ##by Nathan Fowler -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS"; flow:established,to_server; content:"User-Agent\|3a 20\|Mozilla/4.0\|20\|(compatible\|3b 20\|MSIE 5.0\|3b 20\|Windows 98)"; http_header; fast_pattern:37,20; content:"\|3b\|q=0"; http_header; content:"HTTP/1.0\|0d 0a\|Host\|3a 20\|"; classtype:trojan-activity; sid:2014562; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pony Downloader HTTP Library MSIE 5 Win98"; flow:established,to_server; content:"User-Agent\|3a 20\|Mozilla/4.0\|20\|(compatible\|3b 20\|MSIE 5.0\|3b 20\|Windows 98)"; http_header; fast_pattern:37,20; content:"\|3b\|q=0"; http_header; content:"HTTP/1.0\|0d 0a\|Host\|3a 20\|"; classtype:trojan-activity; sid:2014562; rev:4;) ##by Nathan Fowler alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:5;) @@ -50627,7 +50762,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"\|01 00 00 00\|"; depth:4; content:!"\|00\|"; distance:0; within:1; content:"\|00\|"; distance:1; within:1; content:"\|00\|"; distance:61; within:1; content:"Windows\|20\|"; distance:0; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; distance:0; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; distance:12; within:20; classtype:trojan-activity; sid:2014600; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.B Checkin"; flow:from_client,established; dsize:536<>1028; content:"\|01 00 00 00\|"; depth:4; content:!"\|26\|"; distance:0; within:1; content:"\|26\|"; distance:1; within:1; content:"\|26\|"; distance:61; within:1; content:"\|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26\|"; distance:204; within:20; content:"\|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26\|"; distance:12; within:20; classtype:trojan-activity; sid:2014601; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.B Checkin"; flow:from_client,established; dsize:536<>1029; content:"\|01 00 00 00\|"; depth:4; content:!"\|26\|"; distance:0; within:1; content:"\|26\|"; distance:1; within:1; content:"\|26\|"; distance:61; within:1; content:"\|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26\|"; distance:204; within:20; content:"\|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26\|"; distance:12; within:20; classtype:trojan-activity; sid:2014601; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent\|3A 20\|aw v3"; http_header; classtype:trojan-activity; sid:2014606; rev:3;) @@ -50663,6 +50798,9 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:6;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Downloader.Win32.Agent.vhvw Checkin MINIASP"; flow:to_server,established; content:".asp?device_t="; http_uri; content:"&key="; http_uri; content:"&device_id="; http_uri; content:"&cv="; http_uri; reference:md5,e4a4e2a3b3adaf3a31e34cd2844a3374; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1042762#none; classtype:trojan-activity; sid:2016430; rev:2;) + +# alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"ET POLICY Cisco IOS Self Signed Certificate Served to External Host"; flow:established,to_client; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"IOS-Self-Signed-Certificate-"; distance:0; classtype:misc-activity; sid:2014617; rev:1;) # @@ -50717,7 +50855,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)"; flow:to_server,established; content:"\|16 03 00\|"; depth:3; content:"\|01\|"; distance:2; within:1; byte_extract:3,0,SSL.Client_Hello.length,relative; byte_jump:1,34,relative; byte_test:2,>,SSL.Client_Hello.length,0,relative; reference:md5,a01d75158cf4618677f494f9626b1c4c; classtype:trojan-activity; sid:2014635; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32/Poison.BI"; flow:established,to_server; content:"<html><title>12356</title><body>"; depth:32; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:trojan-activity; sid:2014636; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32/Poison.BI"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:trojan-activity; sid:2014636; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Maljava Dropper for OS X"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/install_flash_player.py"; nocase; http_uri; reference:url,www.symantec.com/connect/blogs/both-mac-and-windows-are-targeted-once; classtype:trojan-activity; sid:2014638; rev:3;) @@ -50819,16 +50957,16 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:1;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:7;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set - Likely Kazy"; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:9;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; byte_test:1,&,64,2; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:6;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set - Likely Kazy"; byte_test:1,&,64,2; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:7;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; byte_test:1,&,64,3; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:5;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set - Likely Kazy"; byte_test:1,&,64,3; threshold: type limit, count 1, seconds 120, track by_dst; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability"; flow:to_server,established; content:"?"; http_uri; content:"-"; http_uri; distance:0; content:!"="; http_raw_uri; pcre:"/(\.php\|\/)\?[\s\+]\-[A-Za-z]/Ui"; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability"; flow:to_server,established; content:"?"; http_uri; content:"-"; http_uri; distance:0; content:!"="; http_raw_uri; pcre:"/(?:\/(?:php)?\|\.php)\?[\s\+]\-[A-Za-z]/Ui"; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; content:"/load_module.php?e="; http_uri; priority:1; classtype:trojan-activity; sid:2014705; rev:2;) @@ -50894,10 +51032,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2014725; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Windows Flash Version IE"; flow:established,to_server; content:"x-flash-version\|3a\| "; http_header; content:!"11,5,502,135\|0d 0a\|"; distance:0; within:14; http_header; content:"MSIE"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:12;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Windows Flash Version IE"; flow:established,to_server; content:"x-flash-version\|3a\| "; http_header; content:!"12,0,0,38\|0d 0a\|"; distance:0; within:11; http_header; content:"MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?MSIE\s/Hm"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:30;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version\|3a 20\|"; http_header; content:!"11,5,502,136\|0d 0a\|"; distance:0; within:14; http_header; content:"Macintosh"; http_header; pcre:"/^User-Agent\x3a.+?Macintosh/Hm"; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:10;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version\|3a 20\|"; http_header; content:!"12,0,0,38\|0d 0a\|"; within:11; http_header; content:"Macintosh"; http_header; pcre:"/^User-Agent\x3a.+?Macintosh/Hm"; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:26;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smoke Loader Checkin r=gate"; flow:established,to_server; content:".php?r=gate&"; http_uri; content:"&group="; http_uri; distance:0; content:"&debug="; http_uri; distance:0; content:"5.0 (Windows\|3b\| U\|3b\| MSIE 9"; http_header; reference:md5,fafada188ce47a1459f4fcea487f06b5; classtype:trojan-activity; sid:2014728; rev:3;) @@ -50918,7 +51056,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Snap Bot Receiving DDoS Command"; flow:to_client,established; file_data; content:"\|7c\|ddos\|7c\|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8\|3a\|announce"; within:11; classtype:policy-violation; sid:2014734; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET P2P BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8\|3a\|announce"; within:11; classtype:policy-violation; sid:2014734; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:trojan-activity; sid:2014735; rev:2;) @@ -50927,28 +51065,28 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/andromeda.php?"; http_uri; nocase; content:"q="; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112549/Andromeda-Streaming-MP3-Server-1.9.3.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014736; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; content:"\|3b\|try{prototype\|3b\|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:1;) @@ -50978,7 +51116,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie\|3a\| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,8174d42fd82457592c573fe73bdc0cd5; classtype:trojan-activity; sid:2014759; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear/Safe/CritX/FlashPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.HLLW.Autoruner USA_Load UA"; flow:established,to_server; content:"User-Agent\|3A 20\|USA_Load"; http_header; reference:url,news.drweb.com/show/?i=2440&lng=en&c=5; classtype:trojan-activity; sid:2014752; rev:1;) @@ -51002,16 +51140,16 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From\|3A 20 22\|Infected\|22\|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:1;) ##by StillSecure -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:4;) ##by StillSecure -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:4;) ##by StillSecure -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:4;) ##by StillSecure -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:4;) ##by StillSecure alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/rdc/rnd.php"; http_uri; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:trojan-activity; sid:2014767; rev:5;) @@ -51107,7 +51245,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; content:"Host\|3a\| swupdate.openvpn.net\|0d 0a\|"; fast_pattern:14,14; http_header; content:"User-Agent\|3a\| Twisted PageGetter\|0d 0a\|"; http_header; classtype:policy-violation; sid:2014799; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; file_data; content:"getElementById']('qwe')"; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:1;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; file_data; content:"getElementById']('qwe')"; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:1;) @@ -51122,16 +51260,16 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Install 2"; flow:to_server,established; content:"/api/urls/?ts="; http_uri; content:"&affid="; http_uri; content:"GTB0.0\|3b\|"; http_header; reference:md5,181999985de5feae6f44f9578915417f; classtype:trojan-activity; sid:2014816; rev:3;) ##by StillSecure -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:3;) ##by StillSecure -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:4;) ##by StillSecure alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:trojan-activity; sid:2014810; rev:3;) @@ -51188,25 +51326,28 @@ alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=\|22\|"; nocase; content:"UPS"; nocase; within:11; content:".zip\|22\|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s\|_\|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2;) # +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Post Express Spam Inbound"; flow:established,to_server; content:"name=\|22\|Post_Express_Label_"; nocase; content:".zip\|22\|"; within:15; nocase; pcre:"/name=\x22Post_Express_Label_[a-z0-9\-_\.\s]{0,10}\.zip\x22/i"; classtype:trojan-activity; sid:2014829; rev:1;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014830; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; distance:0; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynPG CMS PathToRoot Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/plugins/DPGguestbook/guestbookaction.php?"; nocase; http_uri; content:"PathToRoot="; nocase; http_uri; pcre:"/PathToRoot=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/87907/DynPG-CMS-4.1.0-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014836; rev:2;) @@ -51251,7 +51392,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(\|22\|404\|22 3B\|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; content:"value=\|22\|lxxt>"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=\|22\|lxxt>33"; fast_pattern:only; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:3;) @@ -51314,16 +51455,16 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:1;) ##by StillSecure -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:5;) ##by StillSecure alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeauto view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jeauto"; nocase; http_uri; content:"view="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96803/Joomla-JE-Auto-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014878; rev:3;) @@ -51425,7 +51566,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT\|20\|user\|2c\|password\|20\|from\|20\|mysql\|2e\|user"; classtype:bad-unknown; sid:2014910; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:" Java/1."; http_header; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:" Java/1."; http_header; fast_pattern; content:"User-Agent\|3A\| Mozilla"; http_header; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition\|3a\| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"\|0D 0A 0D 0A\|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:3;) @@ -51557,7 +51698,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Capfire4 Checkin (update machine status)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/updMaqStatus"; http_uri; content:"User-Agent\|3a\| Clickteam"; http_header; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:trojan-activity; sid:2014953; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; content:"User-Agent\|3a\| iTunes/"; http_header; content:!"10.7"; http_header; within:4; flowbits:set,ET.iTunes.vuln; classtype:policy-violation; sid:2014954; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; content:"User-Agent\|3a\| iTunes/10.6."; http_header; pcre:"/^User-Agent\x3a\x20iTunes\/10\.6\.[0-1]/Hm"; flowbits:set,ET.iTunes.vuln; flowbits:noalert; classtype:policy-violation; sid:2014954; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"\|00 00 00 18 01 00 00\|"; offset:1; depth:7; fast_pattern; content:"\|78 9c\|"; distance:5; within:2; classtype:trojan-activity; sid:2014955; rev:2;) @@ -51629,6 +51770,9 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Variant.Graftor.5628 CnC Traffic"; flow:to_server,established; dsize:24; content:"\|0c 00 00 00 08 00 00 00 19 ff ff ff ff 00 00 00 00 11 00 00\|"; offset:4; depth:20; reference:md5,81687637b7bf2b90258a5006683e781c; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/08/the-sunshop-campaign-continues.html; classtype:trojan-activity; sid:2016398; rev:8;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC POST /common/versions.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/versions.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014979; rev:1;) # @@ -51692,7 +51836,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC POST /common/timestamps.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/timestamps.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014999; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_header; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_header; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:4;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:3;) @@ -51710,13 +51854,13 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"\|3c\|applet"; fast_pattern; content:"56\|3a\|14\|3a\|14\|3a\|19\|3a\|27\|3a\|50\|3a\|50\|3a\|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015006; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015006; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015007; rev:7;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015007; rev:8;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015009; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015009; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:2;) @@ -51818,7 +51962,7 @@ ##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; file_data; content:"<applet/code=\|22\|Rafa.Rafa\|22\|"; classtype:trojan-activity; sid:2015043; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=\|22\|&#"; isdataat:50,relative; distance:0; content:"\|3B\|&#"; distance:4; within:3; content:"\|3B\|&#"; distance:4; within:3; content:"\|3B\|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:trojan-activity; sid:2015044; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=\|22\|&#"; isdataat:50,relative; distance:0; content:"\|3B\|&#"; distance:4; within:3; content:"\|3B\|&#"; distance:4; within:3; content:"\|3B\|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:trojan-activity; sid:2015044; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; file_data; content:"for("; distance:0; content:"\|3B\|"; within:20; content:">=0\|3B\|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n][0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:1;) @@ -51827,7 +51971,7 @@ ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:trojan-activity; sid:2015046; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"\|3A\|8080\|0D 0A\|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:trojan-activity; sid:2015047; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"\|3A\|8080\|0D 0A\|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:trojan-activity; sid:2015047; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s\x3a\s\x7B?\sf6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s[\x22\x27]definition[\x22\x27]\s\]\|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:7;) @@ -51836,7 +51980,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; distance:0; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; fast_pattern:only; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; fast_pattern:only; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition\|3a\| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015050; rev:3;) @@ -51857,7 +52001,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"<html><body><script>"; distance:0; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:trojan-activity; sid:2015056; rev:1;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"<html><body><script>"; distance:0; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:trojan-activity; sid:2015056; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"\|22\| name=\|22\|Twitter\|22\| scrolling=\|22\|auto\|22\| frameborder=\|22\|no\|22\| align=\|22\|center\|22\| height=\|22\|2\|22\| width=\|22\|2\|22\|></iframe>"; distance:0; classtype:trojan-activity; sid:2015057; rev:2;) @@ -52124,331 +52268,331 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"\|3a\| yayfefhrwawquwcw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015148; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"\|3a\| iiloishkjwvqldlq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015149; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"\|3a\| iiloishkjwvqldlq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015149; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"\|3a\| knauycqgsdhgbwjo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015150; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"\|3a\| knauycqgsdhgbwjo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015150; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"\|3a\| uumwyzhctrwdsrdp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015151; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"\|3a\| uumwyzhctrwdsrdp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015151; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"\|3a\| wzbdwenwshfzglwt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015152; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"\|3a\| wzbdwenwshfzglwt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015152; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"\|3a\| hiplksflttfkpsxn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015153; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"\|3a\| hiplksflttfkpsxn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015153; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"\|3a\| jnfrqmekhoevppvw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015154; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"\|3a\| jnfrqmekhoevppvw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015154; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"\|3a\| ttqtkmthptxvwiku.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015155; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"\|3a\| ttqtkmthptxvwiku.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015155; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"\|3a\| vygzhvfiuommkqfj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015156; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"\|3a\| vygzhvfiuommkqfj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015156; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"\|3a\| fhuidtlqttqxgjvn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015157; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"\|3a\| fhuidtlqttqxgjvn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015157; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"\|3a\| imjosxuhbcdonrco.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015158; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"\|3a\| imjosxuhbcdonrco.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015158; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"\|3a\| rtvqcdpbqxgwnrcn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015159; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"\|3a\| rtvqcdpbqxgwnrcn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015159; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"\|3a\| tykvyflnjhbnqpnr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015160; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"\|3a\| tykvyflnjhbnqpnr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015160; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"\|3a\| ehyewyqydfpidbdp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015161; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"\|3a\| ehyewyqydfpidbdp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015161; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"\|3a\| gmokuosvnbkshdtd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015162; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"\|3a\| gmokuosvnbkshdtd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015162; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"\|3a\| qsbourrdxgxgwepy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015163; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"\|3a\| qsbourrdxgxgwepy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015163; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"\|3a\| sxpskxdgoczvcjgp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015164; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"\|3a\| sxpskxdgoczvcjgp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015164; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"\|3a\| dhedppigtpbwrmpc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015165; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"\|3a\| dhedppigtpbwrmpc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015165; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"\|3a\| flthmyjeuhdygshf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015166; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"\|3a\| flthmyjeuhdygshf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015166; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"\|3a\| osflhkaowydftniw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015167; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"\|3a\| osflhkaowydftniw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015167; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"\|3a\| rxupwhkznihnxzqx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015168; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"\|3a\| rxupwhkznihnxzqx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015168; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"\|3a\| bgjzhlasdrwwnenj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015169; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"\|3a\| bgjzhlasdrwwnenj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015169; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"\|3a\| elxegvkalqvkyoxc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015170; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"\|3a\| elxegvkalqvkyoxc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015170; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"\|3a\| nrkhysgoltauclop.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015171; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"\|3a\| nrkhysgoltauclop.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015171; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"\|3a\| pwyloytoagndnrex.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015172; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"\|3a\| pwyloytoagndnrex.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015172; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"\|3a\| zenquqdskekaudbe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015173; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"\|3a\| zenquqdskekaudbe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015173; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"\|3a\| cldcrgtnuwvgnbfd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015174; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"\|3a\| cldcrgtnuwvgnbfd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015174; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"\|3a\| mroeqjdaukskbgua.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015175; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"\|3a\| mroeqjdaukskbgua.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015175; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"\|3a\| owekhoeuhmdiehrw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015176; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"\|3a\| owekhoeuhmdiehrw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015176; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"\|3a\| ydrngsmrdiiyvoiy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015177; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"\|3a\| ydrngsmrdiiyvoiy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015177; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"\|3a\| bkhyiqitpoxewhmt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015178; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"\|3a\| bkhyiqitpoxewhmt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015178; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"\|3a\| krtbityuhlewigfe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015179; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"\|3a\| krtbityuhlewigfe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015179; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"\|3a\| nvjgyermzsmynaeq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015180; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"\|3a\| nvjgyermzsmynaeq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015180; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"\|3a\| jwkpdxqbemsmclal.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015181; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"\|3a\| jwkpdxqbemsmclal.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015181; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"\|3a\| lccwpflcdjrdfjib.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015182; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"\|3a\| lccwpflcdjrdfjib.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015182; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"\|3a\| uinyjmxfqinkxbda.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015183; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"\|3a\| uinyjmxfqinkxbda.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015183; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"\|3a\| xndfbivuonkxfxrq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015184; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"\|3a\| xndfbivuonkxfxrq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015184; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"\|3a\| hvpmffxpfnlquqxo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015185; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"\|3a\| hvpmffxpfnlquqxo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015185; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"\|3a\| kbgsbqjugdqrgtdw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015186; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"\|3a\| kbgsbqjugdqrgtdw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015186; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"\|3a\| tisubmfvqrgnloxr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015187; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"\|3a\| tisubmfvqrgnloxr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015187; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"\|3a\| vmibswhnpqhqwyih.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015188; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"\|3a\| vmibswhnpqhqwyih.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015188; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"\|3a\| gvujhzvjxwptrtdg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015189; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"\|3a\| gvujhzvjxwptrtdg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015189; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"\|3a\| iblpdiqdmmsbnuxb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015190; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"\|3a\| iblpdiqdmmsbnuxb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015190; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"\|3a\| shxrsvasoncjnxpn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015191; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"\|3a\| shxrsvasoncjnxpn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015191; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"\|3a\| ummxjwieppswcnrg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015192; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"\|3a\| ummxjwieppswcnrg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015192; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"\|3a\| fuyfrockpfclxccd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015193; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"\|3a\| fuyfrockpfclxccd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015193; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"\|3a\| haqmuqqukywrcxfa.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015194; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"\|3a\| haqmuqqukywrcxfa.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015194; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"\|3a\| qhcplcuugevvyham.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015195; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"\|3a\| qhcplcuugevvyham.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015195; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"\|3a\| tmrtbcienxrbnsjc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015196; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"\|3a\| tmrtbcienxrbnsjc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015196; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"\|3a\| dueebwwdllfburag.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015197; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"\|3a\| dueebwwdllfburag.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015197; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"\|3a\| fzsirujgdbvabrjm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015198; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"\|3a\| fzsirujgdbvabrjm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015198; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"\|3a\| pghnrmkoeoetfwsm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015199; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"\|3a\| pghnrmkoeoetfwsm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015199; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"\|3a\| rlvqmipovrqbmvqd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015200; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"\|3a\| rlvqmipovrqbmvqd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015200; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"\|3a\| ctjbmgjudwisgshv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015201; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"\|3a\| ctjbmgjudwisgshv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015201; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"\|3a\| eyxejlabqaytqmjx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015202; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"\|3a\| eyxejlabqaytqmjx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015202; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"\|3a\| ogmjjmqdhlbyabzg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015203; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"\|3a\| ogmjjmqdhlbyabzg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015203; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"\|3a\| qlbpfyrupyadvjsl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015204; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"\|3a\| qlbpfyrupyadvjsl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015204; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"\|3a\| atnwerhvttvbivra.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015205; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"\|3a\| atnwerhvttvbivra.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015205; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"\|3a\| dydderasilekaegh.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015206; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"\|3a\| dydderasilekaegh.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015206; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"\|3a\| mfqfrnqllqcrayiw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015207; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"\|3a\| mfqfrnqllqcrayiw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015207; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"\|3a\| pkglwwwmjxokzzfq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015208; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"\|3a\| pkglwwwmjxokzzfq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015208; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"\|3a\| yrrnrgliojezjctg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015209; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"\|3a\| yrrnrgliojezjctg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015209; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"\|3a\| bxhzugppnulxghvm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015210; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"\|3a\| bxhzugppnulxghvm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015210; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"\|3a\| lfvcngdbzjrzgyby.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015211; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"\|3a\| lfvcngdbzjrzgyby.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015211; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"\|3a\| nkkijjyioljbfysn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015212; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"\|3a\| nkkijjyioljbfysn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015212; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"\|3a\| xqwkdyjydkggsppd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015213; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"\|3a\| xqwkdyjydkggsppd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015213; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"\|3a\| axmvnmubgwlmqfrp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015214; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"\|3a\| axmvnmubgwlmqfrp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015214; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"\|3a\| keabgwmpzqhpmlng.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015215; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"\|3a\| keabgwmpzqhpmlng.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015215; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"\|3a\| mjpflkwqskuqbjnk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015216; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"\|3a\| mjpflkwqskuqbjnk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015216; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"\|3a\| vqcicnuhtwhxmtjd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015217; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"\|3a\| vqcicnuhtwhxmtjd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015217; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"\|3a\| yvqnltydqtpresfu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015218; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"\|3a\| yvqnltydqtpresfu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015218; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"\|3a\| iefwvulgninlkoxe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015219; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"\|3a\| iefwvulgninlkoxe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015219; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"\|3a\| ljubdldgqwbarplc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015220; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"\|3a\| ljubdldgqwbarplc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015220; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"\|3a\| upgghggmbusopaxv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015221; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"\|3a\| upgghggmbusopaxv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015221; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"\|3a\| wuvjdexaqtmqkvgk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015222; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"\|3a\| wuvjdexaqtmqkvgk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015222; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"\|3a\| hektxucstnbuncix.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015223; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"\|3a\| hektxucstnbuncix.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015223; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"\|3a\| jiyxdlvawkranmin.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015224; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"\|3a\| jiyxdlvawkranmin.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015224; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"\|3a\| tplczomvebjmhsgk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015225; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"\|3a\| tplczomvebjmhsgk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015225; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"\|3a\| vuaivypissryzhij.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015226; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"\|3a\| vuaivypissryzhij.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015226; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"\|3a\| gdoqznfilmtulxxv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015227; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"\|3a\| gdoqznfilmtulxxv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015227; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"\|3a\| iiewprjomieydnix.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015228; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"\|3a\| iiewprjomieydnix.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015228; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"\|3a\| ropypfmcqjjfdiel.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015229; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"\|3a\| ropypfmcqjjfdiel.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015229; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"\|3a\| utfenjxpvwtroioi.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015230; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"\|3a\| utfenjxpvwtroioi.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015230; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"\|3a\| edtmjcvfnfcbweed.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015231; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"\|3a\| edtmjcvfnfcbweed.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015231; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"\|3a\| hhishrpjdixwtctz.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015232; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"\|3a\| hhishrpjdixwtctz.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015232; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"\|3a\| qouubrmdxtgnnjvm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015233; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"\|3a\| qouubrmdxtgnnjvm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015233; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"\|3a\| stkbtccbckhdkbii.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015234; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"\|3a\| stkbtccbckhdkbii.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015234; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"\|3a\| dcyjurmfwhgvyoio.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015235; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"\|3a\| dcyjurmfwhgvyoio.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015235; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"\|3a\| fhnpjsnknkuvhazm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015236; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"\|3a\| fhnpjsnknkuvhazm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015236; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"\|3a\| pozrtgdmhvhvdscn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015237; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"\|3a\| pozrtgdmhvhvdscn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015237; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"\|3a\| rsoxjlibxohdcyov.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015238; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"\|3a\| rsoxjlibxohdcyov.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015238; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"\|3a\| ccdifvomwhtynpay.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015239; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"\|3a\| ccdifvomwhtynpay.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015239; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"\|3a\| ehsmldxnregnruez.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015240; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"\|3a\| ehsmldxnregnruez.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015240; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"\|3a\| lsvdxjpwykxxvryd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015241; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"\|3a\| lsvdxjpwykxxvryd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015241; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"\|3a\| oxkjnvhjnvnegtyb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015242; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"\|3a\| oxkjnvhjnvnegtyb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015242; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"\|3a\| xfymtpavzblzbknq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015243; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"\|3a\| xfymtpavzblzbknq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015243; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"\|3a\| bloxgsfzinxmdspt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015244; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"\|3a\| bloxgsfzinxmdspt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015244; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"\|3a\| ksacasnubklrikdl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015245; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"\|3a\| ksacasnubklrikdl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015245; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"\|3a\| mxpgggggukxqteoy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015246; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"\|3a\| mxpgggggukxqteoy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015246; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"\|3a\| wedkgpdcxlrunbmu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015247; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"\|3a\| wedkgpdcxlrunbmu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015247; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"\|3a\| yjsovtnpgbwqcbbd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015248; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"\|3a\| yjsovtnpgbwqcbbd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015248; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"\|3a\| jrfyaswntteouafv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015249; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"\|3a\| jrfyaswntteouafv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015249; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"\|3a\| lwtcxuzbdrsnpqfb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015250; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"\|3a\| lwtcxuzbdrsnpqfb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015250; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"\|3a\| veihxoqukuetxqbn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015251; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"\|3a\| veihxoqukuetxqbn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015251; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"\|3a\| xiwlnutkxsqxwjge.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015252; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"\|3a\| xiwlnutkxsqxwjge.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015252; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"\|3a\| hrkusbnevtmyisab.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015253; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"\|3a\| hrkusbnevtmyisab.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015253; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"\|3a\| kwyyhhqtwxupnhyu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015254; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"\|3a\| kwyyhhqtwxupnhyu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015254; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"\|3a\| tdndpphrtyniynvz.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015255; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"\|3a\| tdndpphrtyniynvz.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015255; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"\|3a\| wicjgufeimlbmcus.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015256; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"\|3a\| wicjgufeimlbmcus.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015256; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"\|3a\| gqortbbbsnksxpmm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015257; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"\|3a\| gqortbbbsnksxpmm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015257; rev:1;) # #alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fjgtmicxtlxynlpf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015258; rev:4;) @@ -52724,331 +52868,331 @@ #alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yayfefhrwawquwcw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015348; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iiloishkjwvqldlq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015349; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iiloishkjwvqldlq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015349; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|knauycqgsdhgbwjo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015350; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|knauycqgsdhgbwjo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015350; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|uumwyzhctrwdsrdp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015351; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|uumwyzhctrwdsrdp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015351; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wzbdwenwshfzglwt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015352; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wzbdwenwshfzglwt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015352; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hiplksflttfkpsxn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015353; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hiplksflttfkpsxn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015353; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jnfrqmekhoevppvw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015354; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jnfrqmekhoevppvw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015354; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ttqtkmthptxvwiku\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015355; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ttqtkmthptxvwiku\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015355; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vygzhvfiuommkqfj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015356; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vygzhvfiuommkqfj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015356; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fhuidtlqttqxgjvn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015357; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fhuidtlqttqxgjvn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015357; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|imjosxuhbcdonrco\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015358; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|imjosxuhbcdonrco\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015358; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rtvqcdpbqxgwnrcn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015359; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rtvqcdpbqxgwnrcn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015359; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tykvyflnjhbnqpnr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015360; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tykvyflnjhbnqpnr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015360; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ehyewyqydfpidbdp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015361; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ehyewyqydfpidbdp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015361; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gmokuosvnbkshdtd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015362; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gmokuosvnbkshdtd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015362; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qsbourrdxgxgwepy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015363; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qsbourrdxgxgwepy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015363; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|sxpskxdgoczvcjgp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015364; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|sxpskxdgoczvcjgp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015364; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dhedppigtpbwrmpc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015365; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dhedppigtpbwrmpc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015365; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|flthmyjeuhdygshf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015366; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|flthmyjeuhdygshf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015366; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|osflhkaowydftniw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015367; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|osflhkaowydftniw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015367; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rxupwhkznihnxzqx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015368; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rxupwhkznihnxzqx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015368; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bgjzhlasdrwwnenj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015369; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bgjzhlasdrwwnenj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015369; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|elxegvkalqvkyoxc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015370; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|elxegvkalqvkyoxc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015370; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nrkhysgoltauclop\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015371; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nrkhysgoltauclop\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015371; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pwyloytoagndnrex\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015372; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pwyloytoagndnrex\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015372; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|zenquqdskekaudbe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015373; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|zenquqdskekaudbe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015373; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|cldcrgtnuwvgnbfd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015374; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|cldcrgtnuwvgnbfd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015374; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mroeqjdaukskbgua\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015375; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mroeqjdaukskbgua\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015375; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|owekhoeuhmdiehrw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015376; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|owekhoeuhmdiehrw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015376; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ydrngsmrdiiyvoiy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015377; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ydrngsmrdiiyvoiy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015377; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bkhyiqitpoxewhmt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015378; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bkhyiqitpoxewhmt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015378; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|krtbityuhlewigfe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015379; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|krtbityuhlewigfe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015379; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nvjgyermzsmynaeq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015380; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nvjgyermzsmynaeq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015380; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jwkpdxqbemsmclal\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015381; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jwkpdxqbemsmclal\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015381; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lccwpflcdjrdfjib\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015382; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lccwpflcdjrdfjib\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015382; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|uinyjmxfqinkxbda\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015383; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|uinyjmxfqinkxbda\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015383; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xndfbivuonkxfxrq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015384; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xndfbivuonkxfxrq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015384; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hvpmffxpfnlquqxo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015385; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hvpmffxpfnlquqxo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015385; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|kbgsbqjugdqrgtdw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015386; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|kbgsbqjugdqrgtdw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015386; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tisubmfvqrgnloxr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015387; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tisubmfvqrgnloxr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015387; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vmibswhnpqhqwyih\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015388; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vmibswhnpqhqwyih\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015388; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gvujhzvjxwptrtdg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015389; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gvujhzvjxwptrtdg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015389; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iblpdiqdmmsbnuxb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015390; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iblpdiqdmmsbnuxb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015390; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|shxrsvasoncjnxpn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015391; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|shxrsvasoncjnxpn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015391; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ummxjwieppswcnrg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015392; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ummxjwieppswcnrg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015392; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fuyfrockpfclxccd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015393; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fuyfrockpfclxccd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015393; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|haqmuqqukywrcxfa\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015394; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|haqmuqqukywrcxfa\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015394; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qhcplcuugevvyham\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015395; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qhcplcuugevvyham\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015395; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tmrtbcienxrbnsjc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015396; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tmrtbcienxrbnsjc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015396; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dueebwwdllfburag\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015397; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dueebwwdllfburag\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015397; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fzsirujgdbvabrjm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015398; rev:3;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fzsirujgdbvabrjm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015398; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pghnrmkoeoetfwsm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015399; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pghnrmkoeoetfwsm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015399; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rlvqmipovrqbmvqd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015400; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rlvqmipovrqbmvqd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015400; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ctjbmgjudwisgshv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015401; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ctjbmgjudwisgshv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015401; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|eyxejlabqaytqmjx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015402; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|eyxejlabqaytqmjx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015402; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ogmjjmqdhlbyabzg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015403; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ogmjjmqdhlbyabzg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015403; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qlbpfyrupyadvjsl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015404; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qlbpfyrupyadvjsl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015404; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|atnwerhvttvbivra\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015405; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|atnwerhvttvbivra\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015405; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dydderasilekaegh\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015406; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dydderasilekaegh\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015406; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mfqfrnqllqcrayiw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015407; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mfqfrnqllqcrayiw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015407; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pkglwwwmjxokzzfq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015408; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pkglwwwmjxokzzfq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015408; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yrrnrgliojezjctg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015409; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yrrnrgliojezjctg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015409; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bxhzugppnulxghvm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015410; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bxhzugppnulxghvm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015410; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lfvcngdbzjrzgyby\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015411; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lfvcngdbzjrzgyby\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015411; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nkkijjyioljbfysn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015412; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nkkijjyioljbfysn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015412; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xqwkdyjydkggsppd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015413; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xqwkdyjydkggsppd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015413; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|axmvnmubgwlmqfrp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015414; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|axmvnmubgwlmqfrp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015414; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|keabgwmpzqhpmlng\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015415; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|keabgwmpzqhpmlng\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015415; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mjpflkwqskuqbjnk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015416; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mjpflkwqskuqbjnk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015416; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vqcicnuhtwhxmtjd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015417; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vqcicnuhtwhxmtjd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015417; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yvqnltydqtpresfu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015418; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yvqnltydqtpresfu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015418; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iefwvulgninlkoxe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015419; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iefwvulgninlkoxe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015419; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ljubdldgqwbarplc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015420; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ljubdldgqwbarplc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015420; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|upgghggmbusopaxv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015421; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|upgghggmbusopaxv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015421; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wuvjdexaqtmqkvgk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015422; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wuvjdexaqtmqkvgk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015422; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hektxucstnbuncix\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015423; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hektxucstnbuncix\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015423; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jiyxdlvawkranmin\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015424; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jiyxdlvawkranmin\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015424; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tplczomvebjmhsgk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015425; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tplczomvebjmhsgk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015425; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vuaivypissryzhij\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015426; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vuaivypissryzhij\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015426; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gdoqznfilmtulxxv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015427; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gdoqznfilmtulxxv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015427; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iiewprjomieydnix\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015428; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iiewprjomieydnix\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015428; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ropypfmcqjjfdiel\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015429; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ropypfmcqjjfdiel\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015429; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|utfenjxpvwtroioi\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015430; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|utfenjxpvwtroioi\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015430; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|edtmjcvfnfcbweed\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015431; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|edtmjcvfnfcbweed\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015431; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hhishrpjdixwtctz\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015432; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hhishrpjdixwtctz\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015432; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qouubrmdxtgnnjvm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015433; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qouubrmdxtgnnjvm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015433; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|stkbtccbckhdkbii\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015434; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|stkbtccbckhdkbii\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015434; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dcyjurmfwhgvyoio\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015435; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dcyjurmfwhgvyoio\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015435; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fhnpjsnknkuvhazm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015436; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fhnpjsnknkuvhazm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015436; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pozrtgdmhvhvdscn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015437; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pozrtgdmhvhvdscn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015437; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rsoxjlibxohdcyov\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015438; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rsoxjlibxohdcyov\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015438; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ccdifvomwhtynpay\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015439; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ccdifvomwhtynpay\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015439; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ehsmldxnregnruez\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015440; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ehsmldxnregnruez\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015440; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lsvdxjpwykxxvryd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015441; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lsvdxjpwykxxvryd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015441; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|oxkjnvhjnvnegtyb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015442; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|oxkjnvhjnvnegtyb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015442; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xfymtpavzblzbknq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015443; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xfymtpavzblzbknq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015443; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bloxgsfzinxmdspt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015444; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bloxgsfzinxmdspt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015444; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ksacasnubklrikdl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015445; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ksacasnubklrikdl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015445; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mxpgggggukxqteoy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015446; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mxpgggggukxqteoy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015446; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wedkgpdcxlrunbmu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015447; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wedkgpdcxlrunbmu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015447; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yjsovtnpgbwqcbbd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015448; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yjsovtnpgbwqcbbd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015448; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jrfyaswntteouafv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015449; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jrfyaswntteouafv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015449; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lwtcxuzbdrsnpqfb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015450; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lwtcxuzbdrsnpqfb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015450; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|veihxoqukuetxqbn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015451; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|veihxoqukuetxqbn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015451; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xiwlnutkxsqxwjge\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015452; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xiwlnutkxsqxwjge\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015452; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hrkusbnevtmyisab\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015453; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hrkusbnevtmyisab\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015453; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|kwyyhhqtwxupnhyu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015454; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|kwyyhhqtwxupnhyu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015454; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tdndpphrtyniynvz\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015455; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tdndpphrtyniynvz\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015455; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wicjgufeimlbmcus\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015456; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wicjgufeimlbmcus\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015456; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gqortbbbsnksxpmm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015457; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gqortbbbsnksxpmm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015457; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pift Checkin 1"; flow:established,to_server; content:"/plg3.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015458; rev:1;) @@ -53063,10 +53207,10 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"\|3a\| fjgtmicxtlxynlpf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015461; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"\|3a\| ppsvcvrcgkllplyn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015462; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"\|3a\| ppsvcvrcgkllplyn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015462; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"\|3a\| ruhctasjmpqbyvhm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015463; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"\|3a\| ruhctasjmpqbyvhm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015463; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2;) @@ -53102,13 +53246,13 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN ZeroAccess udp traffic detected"; content:"\|9e 98\|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole Landing Page /intpmt.html"; flow:established,to_server; content:"/intpmt.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole TKR Landing Page /last/index.php"; flow:established,to_server; content:"/last/index.php"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015476; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015476; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; content:"[\|22\|e"; fast_pattern; content:"\|22\|+\|22\|"; within:11; content:"l\|22\|]"; within:11; pcre:"/\x7B\x22e(v\|x22\x2B\x22)(v\|x22\x2B\x22\|a)(a\|v\|x22\x2B\x22)[^\x5D]?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:3;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[\|22\|e"; fast_pattern; content:"\|22\|+\|22\|"; within:11; content:"l\|22\|]"; within:11; pcre:"/\x7B\x22e(v\|x22\x2B\x22)(v\|x22\x2B\x22\|a)(a\|v\|x22\x2B\x22)[^\x5D]?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:9; content:"/top2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015478; rev:1;) @@ -53123,7 +53267,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; distance:0; within:200; pcre:"/var wow\s=\s\x22[^\x22\n]+?\x22\x3b[^\x3b\n]?Date[^\x3b\n]?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ZeroAccess Outbound udp traffic detected"; content:"\|28 94 8d ab c9 c0 d1 99\|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:4;) +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ZeroAccess Outbound udp traffic detected"; content:"\|28 94 8d ab c9 c0 d1 99\|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Java .jar request to dotted-quad domain"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^Host: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?$/Hmi"; classtype:bad-unknown; sid:2015483; rev:2;) @@ -53135,6 +53279,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; content:"/tuner/?StationId="; http_uri; fast_pattern:only; content:"tunein.com\|0d 0a\|"; http_header; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:1;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Simda.C Checkin"; flow:established,to_server; content:"/?"; nocase; http_uri; content:"=%96%"; http_raw_uri; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 8.0\|3b\| Trident/4.0\|3b\| .NET CLR 2.0.50727\|3b\| .NET CLR 1.1.4322\|3b\| .NET CLR 3.0.04506.590\|3b\| .NET CLR 3.0.04506.648\|3b\| .NET CLR 3.5.21022\|3b\| .NET CLR 3.0.4506.2152\|3b\| .NET CLR 3.5.30729)\|0d 0a\|"; fast_pattern:37,20; http_header; pcre:"/^Host\x3a[^\r\n]+?\r\nUser-Agent\x3a[^\r\n]+?\r\n\r\n$/H"; reference:md5,10642e1067aca9f04ca874c02aabda5c; classtype:trojan-activity; sid:2016300; rev:3;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:7;) # @@ -53231,10 +53378,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".php"; distance:0; http_uri; classtype:bad-unknown; sid:2015518; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math\|3B\|"; distance:0; content:"[\|22\|f"; distance:0; content:"\|22\|+\|22\|"; within:15; content:"r\|22\|]"; within:12; classtype:trojan-activity; sid:2015519; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math\|3B\|"; distance:0; content:"[\|22\|f"; distance:0; content:"\|22\|+\|22\|"; within:15; content:"r\|22\|]"; within:12; classtype:trojan-activity; sid:2015519; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Applet Structure"; flow:established,to_client; content:"<\|2F\|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=\|22\|"; distance:0; content:"\|22\|><param/name=\|22\|"; distance:9; within:15; content:"<\|2F\|applet><\|2F\|body><\|2F\|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<\|2F\|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=\|22\|"; distance:0; content:"\|22\|><param/name=\|22\|"; distance:9; within:15; content:"<\|2F\|applet><\|2F\|body><\|2F\|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"\|01 00 01 ae 84 e3 aa 1f 90\|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2;) @@ -53312,6 +53459,9 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla PollXT component Itemid parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_pollxt"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/94681/Joomla-PollXT-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015545; rev:1;) # +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Keep-Alive (INBOUND)"; flow:from_server,established; content:"P[endof]"; dsize:8; reference:md5,0ae2261385c482d55519be9b0e4afef3; reference:url,anubis.iseclab.org/?action=result&task_id=1043e1f5f61319b944d51d0d6d7e23f2e; reference:md5,41a0a4c0831dbcbbfd877c7d37b671e0; reference:url,blog.fireeye.com/research/2012/09/the-story-behind-backdoorlv.html; classtype:trojan-activity; sid:2017417; rev:8;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; fast_pattern:only; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:trojan-activity; sid:2015546; rev:3;) # @@ -53342,7 +53492,7 @@ alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR, Some-State, Internet Widgits)"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"\|55 04 06 13 02\|TR"; content:"\|55 04 08 13 0a\|Some-State"; distance:0; content:"\|13 18\|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:4;) # -alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate to (MyCompany Ltd) could be SSL CnC"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"MyCompany Ltd"; classtype:bad-unknown; sid:2015560; rev:3;) +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Suspicious Self Signed SSL Certificate to (MyCompany Ltd) likely Shylock CnC"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"MyCompany Ltd"; classtype:bad-unknown; sid:2015560; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF Using CCITTFax Filter"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/CCITTFaxDecode"; distance:0; reference:url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/; reference:url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more; classtype:bad-unknown; sid:2015561; rev:1;) @@ -53387,7 +53537,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; within:3; content:"<doswf version="; fast_pattern:only; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015574; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"PK"; within:2; content:"Gond"; pcre:"/^(?:a(?:ttack\|dExp)\|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack\|dEx[xp])\|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:7;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to tor2web.org Domain (.onion proxy)"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|tor2web\|03\|org\|00\|"; nocase; distance:0; reference:url,tor2web.org; classtype:bad-unknown; sid:2015576; rev:2;) @@ -53399,10 +53549,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"\|3c\|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:trojan-activity; sid:2015579; rev:6;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"\|3c\|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:trojan-activity; sid:2015579; rev:8;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; content:"=\|22\|"; isdataat:300,relative; content:"\|22\|"; within:300; content:"\|22\|.replace(/"; distance:0; content:"/g.\|22 22 29 3B\|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:2;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=\|22\|"; isdataat:300,relative; content:"\|22\|"; within:300; content:"\|22\|.replace(/"; distance:0; content:"/g.\|22 22 29 3B\|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; classtype:trojan-activity; sid:2015581; rev:1;) @@ -53417,7 +53567,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; file_data; content:"<h1><b>Please wait a moment. You will be forwarded...<\|2F\|h1><\|2F\|b>"; distance:0; classtype:trojan-activity; sid:2015582; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; file_data; content:"<h1><b>Please wait a moment. You will be forwarded...<\|2F\|h1><\|2F\|b>"; distance:0; classtype:trojan-activity; sid:2015582; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; distance:0; content:"=Math.round\|3B\|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:1;) @@ -53432,13 +53582,13 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; content:"CreateRemoteThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; file_data; content:"\|3C\|html\|3E 3C\|body\|3E 3C\|script\|3E\|"; within:20; content:"=function\|28 29 7B\|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:3;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; file_data; content:"\|3C\|html\|3E 3C\|body\|3E 3C\|script\|3E\|"; within:20; content:"=function\|28 29 7B\|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; file_data; content:"P\|00\|r\|00\|o\|00\|d\|00\|u\|00\|c\|00\|t\|00\|N\|00\|a\|00\|m\|00\|e"; content:"n\|00\|o\|00\|n\|00\|a\|00\|m\|00\|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; file_data; content:"P\|00\|r\|00\|o\|00\|d\|00\|u\|00\|c\|00\|t\|00\|N\|00\|a\|00\|m\|00\|e"; content:"n\|00\|o\|00\|n\|00\|a\|00\|m\|00\|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; file_data; content:".replace(/hwehes/g"; fast_pattern:only; classtype:trojan-activity; sid:2015592; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; file_data; content:".replace(/hwehes/g"; fast_pattern:only; classtype:trojan-activity; sid:2015592; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:1;) @@ -53519,13 +53669,13 @@ alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain .datajunction.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0c\|datajunction\|03\|org\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS gr8domain.biz hostile redirector seen with Blackhole and Fake AV - Aug 08 2012"; flow:established,to_server; content:".gr8domain.biz\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/Host\x3a[^\r\n]+\.gr8domain\.biz/i"; classtype:trojan-activity; sid:2015619; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole/Cool jnlp URI Struct"; flow:established,to_server; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec\|meri)t\|[wW]atche\|link)s\|co(?:ntrolling\|mplaints)\|r(?:ea(?:che)?d\|aise)\|(?:alternat\|fin)e\|s(?:erver\|tring)\|t(?:hought\|opic)\|w(?:hite\|orld)\|en(?:sure\|ds)\|indication\|kill\|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jnlp(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015619; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,\|22 22\|)\|3B\|"; within:30; classtype:trojan-activity; sid:2015620; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,\|22 22\|)\|3B\|"; within:30; classtype:trojan-activity; sid:2015620; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; file_data; content:"=0\|3B\|i<document.body.childNodes.length\|3B\|i++{"; classtype:trojan-activity; sid:2015621; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; file_data; content:"=0\|3B\|i<document.body.childNodes.length\|3B\|i++{"; classtype:trojan-activity; sid:2015621; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:1;) @@ -53546,13 +53696,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shamoon/Wiper/DistTrack Checkin"; flow:to_server,established; content:"/data.asp?mydata="; http_uri; content:"&uid="; http_uri; content:"&state="; http_uri; content:"User-Agent\|3a\| you"; http_header; reference:url,www.symantec.com/connect/blogs/shamoon-attacks; reference:url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf; classtype:trojan-activity; sid:2015632; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"\|de ad be ef\|"; distance:0; content:"\|00 01 00 00 00\|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"\|de ad be ef\|"; fast_pattern; distance:0; content:"\|00 01 00 00 00\|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:4;) # ##alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015630; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:5;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain .mooo.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|mooo\|03\|com\|00\|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2015633; rev:2;) @@ -53600,7 +53750,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"\|3c\|html>\|3c\|body>\|3c\|applet "; fast_pattern; content:"code="; within:100; content:">\|3c\|param"; distance:0; content:">\|3c\|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:trojan-activity; sid:2015648; rev:4;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"\|3c\|html>\|3c\|body>\|3c\|applet "; fast_pattern; content:"code="; within:100; content:">\|3c\|param"; distance:0; content:">\|3c\|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:trojan-activity; sid:2015648; rev:6;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3;) @@ -53609,13 +53759,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=&s="; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu\|0d 0a\|"; http_header; pcre:"/\/n\.php\?h=\w?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:9;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; file_data; content:"\|3c\|script"; distance:0; content:"split(\|22\|"; within:40; content:".join(\|22 22\|).split(\|22 22 29 3b\|"; within:50; classtype:trojan-activity; sid:2015651; rev:2;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; file_data; content:"\|3c\|script"; distance:0; content:"split(\|22\|"; within:40; content:".join(\|22 22\|).split(\|22 22 29 3b\|"; within:50; classtype:trojan-activity; sid:2015651; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; file_data; content:"applet"; distance:0; content:"0xb\|3a\|0x9\|3a\|0x9\|3a\|0x4\|3a\|0x1f\|3a\|0x31\|3a\|0x31\|3a\|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:4;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; file_data; content:"applet"; distance:0; content:"0xb\|3a\|0x9\|3a\|0x9\|3a\|0x4\|3a\|0x1f\|3a\|0x31\|3a\|0x31\|3a\|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:5;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; content:"try{"; content:"\|3b\|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:2;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; content:"try{"; content:"\|3b\|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:3;) # ##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; file_data; content:"PK"; within:2; content:"\|2f\|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:3;) @@ -53624,10 +53774,10 @@ ##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; file_data; content:"PK"; within:2; content:"\|2f\|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0day JRE 17 metasploit Exploit Class"; flow:established,to_client; file_data; content:"PK"; within:2; content:"\|2f\|Payload.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0day JRE 17 metasploit Payload Class"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Exploit.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:1;) @@ -53642,7 +53792,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:2;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:2;) @@ -53657,7 +53807,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value=\|22\|"; pcre:"/^[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit/Other - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"value"; distance:0; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27]?[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern:only; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:bad-unknown; sid:2015670; rev:2;) @@ -53687,7 +53837,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015680; rev:3;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; classtype:bad-unknown; sid:2015680; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com\|0d 0a\|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015681; rev:1;) @@ -53699,7 +53849,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015683; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; fast_pattern:only; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; fast_pattern:only; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"\|16 03 01\|"; depth:3; content:"\|02\|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"\|16 03 01\|"; within:3; content:"\|0b\|"; distance:2; within:2; content:"\|30 82\|"; distance:9; within:2; content:"\|30 82\|"; distance:2; within:2; content:"\|a0 03 02 01 02 02\|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"\|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00\|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:2;) @@ -53735,7 +53885,7 @@ ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015696; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015698; rev:3;) @@ -53747,7 +53897,7 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Brutus Scan Outbound"; flow:established,to_server; content:"Brutus/AET"; http_header; classtype:attempted-recon; sid:2015702; rev:1;) @@ -53783,7 +53933,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand\|28\|"; nocase; pcre:"/^[\r\n\s][\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern:only; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; fast_pattern:only; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent\|3a 20\|Mozilla/4.1"; http_header; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:trojan-activity; sid:2015713; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"User-Agent\|3a 20\|Mozilla/4.1"; http_header; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:trojan-activity; sid:2015713; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mirage Campaign checkin"; flow:established,to_server; content:"POST"; http_method; content:"/result?hl="; depth:11; http_uri; content:"&meta="; distance:0; http_uri; content:"Mjtdkj"; depth:6; http_client_body; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:trojan-activity; sid:2015714; rev:1;) @@ -53801,7 +53951,7 @@ alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"\|55 04 0a 0c 0C\|The Internet"; distance:3; within:Certs.len; content:"\|55 04 03 0c 03\|web"; distance:0; classtype:trojan-activity; sid:2015718; rev:2;) # -alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC"; flow:from_server,established; content:"\|0d 0a 0d 0a\|c=run&u=/get/"; content:".exe"; distance:0; classtype:trojan-activity; sid:2015902; rev:3;) +alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC"; flow:from_server,established; content:"\|0d 0a 0d 0a\|c=run&u=/get/"; content:".exe"; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2015902; rev:4;) # alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|08\|palauone\|03\|com\|00\|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015719; rev:1;) @@ -53819,10 +53969,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/counter.img?theme="; fast_pattern:only; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"User-Agent\|3a\| Opera/9 (Windows NT"; http_header; reference:url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf; classtype:trojan-activity; sid:2015723; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; content:"/x-java-archive\|0d 0a\|"; fast_pattern:only; content:"\|0d 0a\|Set-Cookie\|3a 20\|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"\|0d 0a 0d 0a\|PK"; distance:0; classtype:trojan-activity; sid:2015724; rev:10;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; content:"/x-java-archive\|0d 0a\|"; fast_pattern:only; content:"\|0d 0a\|Set-Cookie\|3a 20\|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"\|0d 0a 0d 0a\|PK"; distance:0; classtype:trojan-activity; sid:2015724; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf\|0d 0a\|"; fast_pattern:only; content:"\|0d 0a\|Set-Cookie\|3a 20\|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"\|0d 0a 0d 0a\|%PDF-"; distance:0; classtype:trojan-activity; sid:2015725; rev:7;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf\|0d 0a\|"; fast_pattern:only; content:"\|0d 0a\|Set-Cookie\|3a 20\|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"\|0d 0a 0d 0a\|%PDF-"; distance:0; classtype:trojan-activity; sid:2015725; rev:9;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:1;) @@ -53834,7 +53984,7 @@ alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|08\|bktwenty\|03\|com\|00\|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015728; rev:2;) # -alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|09\|adbullion\|03\|com\|00\|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015729; rev:2;) +#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|09\|adbullion\|03\|com\|00\|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015729; rev:2;) # alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|0c\|sleeveblouse\|03\|com\|00\|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015730; rev:2;) @@ -53843,7 +53993,7 @@ ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015731; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:2;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:1;) @@ -53855,10 +54005,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:2;) # -alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 2"; flow:from_server,established; content:"\|0d 0a 0d 0a\|c=idl"; fast_pattern; distance:0; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; classtype:trojan-activity; sid:2015903; rev:6;) +alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 2"; flow:from_server,established; content:"\|0d 0a 0d 0a\|c=idl"; fast_pattern; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2015903; rev:8;) # -alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 3"; flow:from_server,established; content:"200 OK\|0d 0a\|Server\|3a\| "; content:"\|0d 0a 0d 0a\|c=rdl&u="; distance:0; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; classtype:trojan-activity; sid:2015904; rev:3;) +alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 3"; flow:from_server,established; content:"200 OK\|0d 0a\|Server\|3a\| "; content:"\|0d 0a 0d 0a\|c=rdl&u="; distance:0; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2015904; rev:4;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|defmaybe\|03\|com\|00\|"; nocase; distance:0; classtype:bad-unknown; sid:2015736; rev:3;) @@ -53867,10 +54017,10 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHPMyAdmin BackDoor Access"; flow:established,to_server; content:"POST"; http_method; content:"/server_sync.php?"; fast_pattern:only; http_uri; content:"c="; http_uri; pcre:"/\/server_sync.php\?(?:.+?&)?c=/Ui"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; content:"\|0d 0a 0d 0a\|"; content:"d---o---c---u---m---"; within:500; classtype:bad-unknown; sid:2015738; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; content:"\|0d 0a 0d 0a\|"; content:"d---o---c---u---m---"; within:500; classtype:bad-unknown; sid:2015738; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:4;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:1;) @@ -53882,6 +54032,9 @@ alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"\|55 04 06 13 02\|SE"; distance:3; within:Certs.len; content:"\|55 04 08 13 01 20\|"; distance:0; content:"\|55 04 07 13 01 20\|"; distance:0; content:"\|55 04 0a 13 01 20\|"; distance:0; content:"\|55 04 0b 13 01 20\|"; distance:0; content:"\|55 04 03 13 01 20\|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2015742; rev:1;) # +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Revoked Adobe Code Signing Certificate Seen"; flow:established,to_client; content:"\|30 82\|"; content:"\|a0 03 02 01 02 02 10 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00\|"; distance:6; within:38; content:"\|1e 17 0d\|101215000000Z\|17 0d\|121214235959Z0"; distance:184; within:32; content:"Adobe Systems Incorporated"; distance:66; within:26; reference:url,www.adobe.com/support/security/advisories/apsa12-01.html; classtype:policy-violation; sid:2015743; rev:1;) + +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:2;) # @@ -53897,13 +54050,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; content:"utl_inaddr.get_host"; nocase; http_uri; fast_pattern:only; classtype:attempted-admin; sid:2015749; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"\|0d 0a\|Mi"; isdataat:76,relative; content:"\|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56\|"; distance:0; classtype:trojan-activity; sid:2015752; rev:1;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"\|0d 0a\|Mi"; isdataat:76,relative; content:"\|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56\|"; distance:0; classtype:trojan-activity; sid:2015752; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"User-Agent\|3A 20\|Asynchronous WinHTTP"; http_header; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:trojan-activity; sid:2015753; rev:2;) @@ -53936,16 +54089,16 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-Zbot.gen.als Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type\|3a\| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:trojan-activity; sid:2015783; rev:6;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:3;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"\|7B 5C 72 74 66 31\|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:1;) @@ -53957,10 +54110,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; distance:0; within:50; classtype:trojan-activity; sid:2015788; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page"; flow:to_server,established; content:"/links/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/links\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015787; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole/Cool eot URI Struct"; flow:to_server,established; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec\|meri)t\|[wW]atche\|link)s\|co(?:ntrolling\|mplaints)\|r(?:ea(?:che)?d\|aise)\|(?:alternat\|fin)e\|s(?:erver\|tring)\|t(?:hought\|opic)\|w(?:hite\|orld)\|en(?:sure\|ds)\|indication\|kill\|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.eot(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015787; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; content:".html"; http_uri; content:"From\|3a\| "; depth:6; fast_pattern; http_header; content:!"@"; http_header; within:18; content:"\|0d 0a\|Via\|3a\| "; http_header; distance:18; within:7; content:"^"; http_header; within:40; pcre:"/From\x3a\d{18}\x0d\x0aVia\x3a[^\x0d\x0a]+?[\x5d\x5e\x60\x5c]/H"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:trojan-activity; sid:2015786; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; content:".html"; http_uri; content:"From\|3a\| "; depth:6; http_header; content:"Via\|3a\| "; http_header; content:!"1\|2e\|"; within:2; http_header; content:!"User-Agent\|3a\| "; http_header; pcre:"/^\/\d+?\/\d+?\.html$/Ui"; pcre:"/^From\x3a \d+?\r\n/Hmi"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:trojan-activity; sid:2015786; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; content:"heritrix"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?heritrix/Hmi"; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:3;) @@ -53975,34 +54128,34 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec"; flow:established,to_server; content:"/phptax/"; http_uri; fast_pattern:only; content:"&pfilez="; http_uri; nocase; classtype:web-application-attack; sid:2015794; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (2)"; flow:to_server,established; content:"/detects/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/detects\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015796; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole/Cool Jar URI Struct"; flow:to_server,established; content:".jar"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec\|meri)t\|[wW]atche\|link)s\|co(?:ntrolling\|mplaints)\|r(?:ea(?:che)?d\|aise)\|(?:alternat\|fin)e\|s(?:erver\|tring)\|t(?:hought\|opic)\|w(?:hite\|orld)\|en(?:sure\|ds)\|indication\|kill\|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.jar(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015796; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/watches/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/watches\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015797; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; classtype:trojan-activity; sid:2015797; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (4)"; flow:to_server,established; content:"/boards/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/boards\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015798; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole/Cool EXE URI Struct"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec\|meri)t\|[wW]atche\|link)s\|co(?:ntrolling\|mplaints)\|r(?:ea(?:che)?d\|aise)\|(?:alternat\|fin)e\|s(?:erver\|tring)\|t(?:hought\|opic)\|w(?:hite\|orld)\|en(?:sure\|ds)\|indication\|kill\|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.exe(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015798; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Pony Downloader Checkin (2)"; flow:to_server,established; content:"ch=1"; http_uri; fast_pattern:only; content:"ch=1"; http_client_body; depth:4; pcre:"/ch=1$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2015799; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dorkbot GeoIP Lookup (Skype LOL Worm)"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|Host\|3a\| api.wipmania.com\|0d 0a\|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dorkbot GeoIP Lookup to wipmania"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|Host\|3a\| api.wipmania.com\|0d 0a\|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; content:"/api/"; http_uri; nocase; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"\|3b\|c\|3a\|INT-"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aINT-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"\|3b\|c\|3a\|INT-"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aINT-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (AMD)"; flow:to_server,established; content:"/api/"; http_uri; nocase; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"\|3b\|c\|3a\|AMD-"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aAMD-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (AMD)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"\|3b\|c\|3a\|AMD-"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aAMD-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:5;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:2;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080\|0d 0a\|"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (6)"; flow:established,from_server; file_data; content:"<html><head><title></title></head><body>"; within:40; content:"applet archive="; distance:0; pcre:"/\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}/Rsmi"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole/Cool Landing URI Struct"; flow:to_server,established; content:".php"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec\|meri)t\|[wW]atche\|link)s\|co(?:ntrolling\|mplaints)\|r(?:ea(?:che)?d\|aise)\|(?:alternat\|fin)e\|s(?:erver\|tring)\|t(?:hought\|opic)\|w(?:hite\|orld)\|en(?:sure\|ds)\|indication\|kill\|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.php(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:3;) @@ -54014,7 +54167,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mini-Flame v 5.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/counter.cgi"; http_uri; fast_pattern:only; pcre:"/(?:(?:nvidia(?:s(?:tream\|oft)\|drivers)\|(?:rendercode\|videosyn)c\|flashupdates\|syncstream)\.info\|194\.192\.14\.125\|202\.75\.58\.179)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:trojan-activity; sid:2015806; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Taidoor C2"; flow:established,to_server; content:"GET "; depth:4; content:".php?id="; fast_pattern; distance:6; within:8; pcre:"/^GET\s\/[a-z]{5}\.php\?id=[A-Z0-9]{18}\sHTTP\/1\.[0-1]\r\n/"; content:"MSIE 6.0\|3b\|"; distance:0; classtype:trojan-activity; sid:2015808; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Taidoor Checkin"; flow:established,to_server; content:"GET "; depth:4; content:".php?id="; fast_pattern; distance:6; within:8; pcre:"/^GET\s\/[a-z]{5}\.php\?id=[A-Z0-9]{18}\sHTTP\/1\.[0-1]\r\n/"; content:"MSIE 6.0\|3b\|"; distance:0; classtype:trojan-activity; sid:2015808; rev:1;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:4;) @@ -54041,7 +54194,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:trojan-activity; sid:2015816; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&\|23\|48\|3b\|&\|23\|98\|3b\|&\|23\|48\|3b\|&\|23\|57\|3b\|&\|23\|48\|3b\|&\|23\|57\|3b\|&\|23\|48\|3b\|&\|23\|52\|3b\|&\|23\|49\|3b\|&\|23\|102\|3b\|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:3;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&\|23\|48\|3b\|&\|23\|98\|3b\|&\|23\|48\|3b\|&\|23\|57\|3b\|&\|23\|48\|3b\|&\|23\|57\|3b\|&\|23\|48\|3b\|&\|23\|52\|3b\|&\|23\|49\|3b\|&\|23\|102\|3b\|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GeckaSeka User-Agent"; flow: established,to_server; content:"GeckaSeka"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+GeckaSeka/Hi"; classtype:trojan-activity; sid:2015824; rev:3;) @@ -54098,7 +54251,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length\|3a\| 4\|0d 0a\|"; http_header; file_data; content:"Smk0"; depth:4; fast_pattern; classtype:trojan-activity; sid:2015835; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request"; content:"GET"; http_method; content:" Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]\|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]\|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request"; flow:established,to_server; content:"GET"; http_method; content:" Java/1."; http_header; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]\|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]\|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"\|00 c8 b9 67 4e 25 75 e9 92\|"; content:"\|55 04 06 13 02 4e 4c\|"; distance:0; content:"\|55 04 07 0c 01 20\|"; distance:0; content:"\|55 04 03 0c 01 20\|"; distance:0; classtype:trojan-activity; sid:2015837; rev:2;) @@ -54113,19 +54266,22 @@ alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"\|80 00 00 01 00 01\|"; offset:2; depth:6; content:"\|04\|wpad\|00 00 01 00 01 04\|wpad\|00 00 01 00 01\|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:3;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; depth:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; depth:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Xtrat Checkin 2"; flow:to_server,established; content:"GET "; depth:4; pcre:"/^[^\r\n]+\/1234\.functions HTTP/R"; content:"/1234.functions HTTP"; fast_pattern:only; reference:md5,fea70e818984b82c9a6bbdc5157d4a40; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fXtrat.A; classtype:trojan-activity; sid:2016599; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:2;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015846; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)\|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)\|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Imposter USPS Domain"; flow:established,to_server; content:".usps.com."; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]\.usps\.com\./Hi"; classtype:trojan-activity; sid:2015848; rev:1;) @@ -54158,7 +54314,7 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"\|00 03\|"; depth:2; content:"\|0a 21 0a\|version\|20\|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^.{1,500}\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:trojan-activity; sid:2015859; rev:3;) @@ -54167,10 +54323,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potentially Unwanted Program RebateInformerSetup.exe Download Reporting"; flow:established,to_server; content:"/RebateInformerSetup.exe"; fast_pattern; nocase; http_uri; content:"User-Agent\|3a\| Inno Setup Downloader"; http_header; reference:url,www.ripoffreport.com/directory/rebategiant-com.aspx; classtype:trojan-activity; sid:2015862; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]\|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]\|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]\|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]\|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]\|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]\|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:3;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"\|16 03 01\|"; content:"\|00 be d3 cf b1 fe a1 55 bf\|"; distance:0; content:"webmaster@localhost"; distance:0; content:"\|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc\|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2;) @@ -54209,7 +54365,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 32-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:39; content:"/q.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Maxmind geoip check to /app/geoip.js"; flow:established,to_server; content:"/app/geoip.js"; http_uri; fast_pattern:only; content:"maxmind.com\|0d 0a\|"; http_header; classtype:policy-violation; sid:2015878; rev:1;) @@ -54236,10 +54392,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:trojan-activity; sid:2015887; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Popads/Unknown Java Exploit Kit 32-32 byte hex java payload request"; flow:established,to_server; content:"/0"; http_uri; offset:33; depth:2; urilen:35; pcre:"/\/[a-f0-9]{32}\/0/U"; flowbits:isset,ET.http.javaclient.vulnerable; content:" Java/1"; http_header; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]?[a-f0-9][\/_]?){32}\/\d+?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50"; http_uri; depth:3; pcre:"/^\/50[a-f][a-f0-9]{21}\/(([CBrhVykGTU]+Y){3}[CBrhVykGTU]{1,2}\|NHee)S(([CBrhVykGTU]+Y){3}[CBrhVykGTU]\|NHee)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?\|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+\|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:2;) @@ -54260,7 +54416,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown_comee.pl - POST with stpfu in http_client_body"; flow:established,to_server; content:"POST"; http_method; content:"stpfu"; http_client_body; depth:5; classtype:trojan-activity; sid:2015895; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Unknown_comee.pl - Response from stpfu in http_client_body"; flow:established,to_client; file_data; content:"\|6C 95 32 CB\|"; within:4; classtype:trojan-activity; sid:2015896; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Andromeda Check-in Response"; flow:established,to_client; content:"Content-Length\|3a\| 9\|0d 0a\|"; http_header; file_data; content:"\|6C 95 32 CB\|"; within:4; file_data; classtype:trojan-activity; sid:2015896; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru\|0d 0a\|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:2;) @@ -54275,7 +54431,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 3 User-Agent"; flow: established,to_server; content:"Windows NT 3"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 3/Hmi"; classtype:trojan-activity; sid:2015900; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:2;) # alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:attempted-user; sid:2015905; rev:1;) @@ -54362,7 +54518,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]\|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (8)"; flow:to_server,established; content:"/less/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/less\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015933; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole/Cool txt URI Struct"; flow:to_server,established; content:".txt"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:(?:detec\|meri)t\|[wW]atche\|link)s\|co(?:ntrolling\|mplaints)\|r(?:ea(?:che)?d\|aise)\|(?:alternat\|fin)e\|s(?:erver\|tring)\|t(?:hought\|opic)\|w(?:hite\|orld)\|en(?:sure\|ds)\|indication\|kill\|Web)\/([a-z]{2,19}[-_]){1,4}[a-z]{2,19}\.txt(\?[a-zA-Z]+?=[a-zA-Z0-9]+?&[\x3ba-zA-Z]+?=[a-zA-Z0-9]+?)?$/U"; classtype:trojan-activity; sid:2015933; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; content:"GET /t/"; depth:7; pcre:"/^[a-f0-9]{32}\sHTTP\/1\.[0-1]\r\n/R"; classtype:trojan-activity; sid:2015936; rev:3;) @@ -54410,7 +54566,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; pcre:"/\.jar\?m\=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:14;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; pcre:"/\.jar\?m\=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:15;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; classtype:trojan-activity; sid:2015952; rev:1;) @@ -54428,7 +54584,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<\|2F\|title><meta name=\|22\|robots\|22\| content=\|22\|noindex\|22\|><\|2F\|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad/?"; depth:5; http_uri; fast_pattern; pcre:"/^\/ad\/\?[a-z]{1,4}\x3d[a-z0-9]+?$/Ui"; content:"User-Agent\|3a\| Microsoft BITS/"; http_header; classtype:trojan-activity; sid:2015957; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad"; depth:3; http_uri; pcre:"/^\/ad[^\x2f]?\/\?[a-z]{1,5}\x3d\x2e?[a-z0-9]+?$/Ui"; content:"User-Agent\|3a\| Microsoft BITS/"; http_header; classtype:trojan-activity; sid:2015957; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad/?"; depth:5; http_uri; fast_pattern; pcre:"/^\/ad\/\?[a-z]{1,4}\x3d[a-z0-9]+?$/Ui"; content:!"User-Agent\|3a\| "; http_header; classtype:trojan-activity; sid:2015958; rev:1;) @@ -54440,19 +54596,19 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern:only; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015960; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; fast_pattern:only; content:"Java/1."; http_header; classtype:trojan-activity; sid:2015960; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; fast_pattern:only; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e=u00"; http_uri; fast_pattern:only; content:"&token=u00"; http_uri; classtype:trojan-activity; sid:2015962; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern:only; content:"&token="; http_uri; classtype:trojan-activity; sid:2015962; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin 1"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; content:" HTTP"; distance:1; within:5; content:"MSIE 7.0\|3b\|"; content:".ddns"; fast_pattern; content:".eu\|0d 0a\|"; distance:1; within:5; pcre:"/\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\x2eeu\r\n\r\n$/"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015968; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"GET "; depth:4; content:"MSIE 7.0\|3b\|"; content:".ddns"; fast_pattern; distance:0; content:".eu\|0d 0a\|"; distance:1; within:5; pcre:"/GET \/[a-z0-9]+?\/?\?[a-z]\d? HTTP\/1\.1\r\nUser-Agent\x3a .+?\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\.eu\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"\|3f\|"; offset:6; depth:5; content:"GET "; depth:4; pcre:"/^\/[a-z0-9]{1,4}\/?\?.+? HTTP\/1\.[0-1]/Ri"; content:"\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b\| MSIE 7.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|Host\|3a 20\|"; within:77; fast_pattern:57,20; pcre:"/^[^\r\n]+?(\r\nConnection\x3a Keep-Alive)?\r\n\r\n$/Ri"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:10;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:8;) @@ -54473,19 +54629,19 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"?s=1"; http_uri; content:"\|29 20\|Java/1"; http_header; content:"text="; http_client_body; depth:5; pcre:"/\?s=1$/U"; classtype:trojan-activity; sid:2015974; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; content:"text="; http_client_body; depth:5; pcre:"/\?(s\|page\|id)=\d+$/U"; classtype:trojan-activity; sid:2015974; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/grant\s+(file\|all)\s+on\s+A{500,}/"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; fast_pattern; content:" HTTP"; distance:1; within:5; content:"Mozilla/4.0 (compatible\|3b\| MSIE 7.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|"; pcre:"/GET \/1\/\?\w HTTP\/1\.1\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a .+?(\x3a(443\|8080\|900[0-9]))?\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(\|22\|"; distance:0; content:"\|22\|))\|3b\|"; distance:52; within:76; content:")\|3b\|</script></body>"; within:200; fast_pattern; pcre:"/$\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,70}\x22$.{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:6;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(\|22\|"; distance:0; content:"\|22\|))\|3b\|"; distance:52; within:106; content:")\|3b\|</script></body>"; within:200; fast_pattern; pcre:"/$\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22$.{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:8;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy3Ojj"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"yy3Ojj"; within:1600; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:6;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"\|7C\|pdfver\|7C\|"; content:"\|7C\|applet\|7C\|"; classtype:bad-unknown; sid:2015979; rev:1;) @@ -54503,13 +54659,16 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; http_uri; pcre:"/(\?\|&)(host\|service\|opt\|end\|start)=[^&]+?\x60.+?\x60/Ui"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:2;) # +alert tcp $EXTERNAL_NET any -> $HOME_NET 41080 (msg:"ET WEB_SPECIFIC_APPS Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download 2"; flow:to_server,established; content:"/brightmail/admin/restore/download.do?"; http_uri; content:"&localBackupFileSelection="; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00; classtype:attempted-user; sid:2016119; rev:2;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:bad-unknown; sid:2015983; rev:1;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Joomla Component SQLi Attempt"; flow:established,to_server; content:"option=com_"; http_uri; nocase; content:"union"; http_uri; nocase; distance:0; content:"select"; nocase; http_uri; distance:0; content:"from"; nocase; http_uri; distance:0; content:"jos_users"; distance:0; http_uri; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kuluoz.B Request"; flow:established,to_server; content:"GET"; http_method; pcre:"/^\/[a-f0-9]+$/Ui"; content:"Windows NT 9.0\|3b\|"; http_header; pcre:"/^Host\x3a\s(\d{1,3}\.){3}\d{1,3}(\x3a\d{1,5})?\r?$/Hmi"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kuluoz.B Request"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/[a-f0-9]+$/Ui"; content:"Windows NT 9.0\|3b\|"; http_header; pcre:"/^Host\x3a\s(\d{1,3}\.){3}\d{1,3}(\x3a\d{1,5})?\r?$/Hmi"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:2;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"\|11\|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5;) @@ -54548,13 +54707,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update\|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:"/j16.php?i="; http_uri; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:".php?i="; http_uri; pcre:"/\/j\d{2}\.php\?i=/U"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/lpdf.php?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/\/lpdf\.php\?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; fast_pattern:only; pcre:"/\/i.php?token=[a-z0-9]+$/U"; classtype:trojan-activity; sid:2015998; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; nocase; fast_pattern:only; pcre:"/\/i.php?token=[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2015998; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length\|3A 20\|"; http_header; content:"Proxy-Connetion\|3A 20\|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:1;) @@ -54599,10 +54758,19 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SmokeBot grab data plaintext"; flow:established,to_server; content:"cmd=grab&data="; fast_pattern:only; http_client_body; content:"&login="; http_client_body; classtype:trojan-activity; sid:2016011; rev:3;) # -alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS Amplification Attack Inbound"; content:"\|01 00 00 01 00 00 00 00 00 01\|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"\|00 ff 00 01 00 00 29 10\|"; within:8; fast_pattern; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;) +alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS Amplification Attack Inbound"; content:"\|01 00 00 01 00 00 00 00 00 01\|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"\|00 ff 00 01 00 00 29\|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:6;) + +# +#alert udp $HOME_NET 53 -> any any (msg:"ET CURRENT_EVENTS DNS Amplification Attack Outbound"; content:"\|01 00 00 01 00 00 00 00 00 01\|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"\|00 ff 00 01 00 00 29\|"; within:7; fast_pattern; byte_test:2,>,4095,0,relative; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:6;) # -alert udp $HOME_NET 53 -> any any (msg:"ET CURRENT_EVENTS DNS Amplification Attack Outbound"; content:"\|01 00 00 01 00 00 00 00 00 01\|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"\|00 ff 00 01 00 00 29 10\|"; within:8; fast_pattern; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Nymaim Checkin"; flow:to_server,established; content:"POST "; depth:5; content:"/nymain/"; within:8; fast_pattern; content:"/index.php"; distance:0; content:"\|0d 0a 0d 0a\|filename="; distance:0; content:"&data="; distance:0; reference:md5,b904ce55532582a6ea516399d8e4b410; classtype:trojan-activity; sid:2016752; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ksapp.A Checkin"; flow:to_server,established; content:"GET "; depth:4; content:"/kspp/do?imei="; distance:0; content:"&wid="; distance:0; content:"&type="; distance:0; content:"&step="; distance:0; reference:md5,e6d9776113b29680aec73ac2d1445946; reference:md5,13e6ce4aac7e60b10bfde091c09b9d88; reference:url,anubis.iseclab.org/?action=result&task_id=16b7814b794cd728435e122ca2c2fcdd3; reference:url,www.fortiguard.com/latest/mobile/4158213; reference:url,symantec.com/connect/blogs/mdk-largest-mobile-botnet-china; classtype:trojan-activity; sid:2016318; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/KeyLogger.ACQH!tr Checkin"; flow:to_server,established; content:".php?cn"; http_uri; content:"&str="; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"User-Agent\|3a\| WinInetGet/"; http_header; pcre:"/\.php\?cn(ame)?=/U"; reference:md5,eddce1a6c0cc0eb7b739cb758c516975; reference:md5,c0d9352ad82598362a426cd38a7ecf0e; reference:url,www.fortiguard.com/av/VID4225990; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016912; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"\|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; offset:8; depth:18; content:"\|4c 50\|"; distance:8; within:2; content:"\|10 00 40 00\|D\|00\|e\|00\|x\|00\|t\|00\|e\|00\|r\|00 00\|"; distance:0; content:"\|00\|R\|00\|e\|00\|g\|00\|u\|00\|l\|00\|a\|00\|r\|00\|"; distance:0; content:"V\|00\|e\|00\|r\|00\|s\|00\|i\|00\|o\|00\|n\|00 20 00\|1\|00 2e 00\|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:1;) @@ -54623,13 +54791,13 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:bad-unknown; sid:2016024; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:bad-unknown; sid:2016025; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:bad-unknown; sid:2016025; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - <applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016026; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016026; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - <applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016027; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016027; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf\|2f\|x\|2f\|"; distance:0; classtype:bad-unknown; sid:2016028; rev:1;) @@ -54647,13 +54815,13 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS JCE Joomla Scanner"; flow:established,to_server; content:"User-Agent\|3a\| BOT/0.1 (BOT for JCE)"; http_header; classtype:web-application-attack; sid:2016032; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Simple Slowloris Flooder"; flow:established,to_server; content:"POST"; http_method; content:"Content-length\|3A\| 5235\|0D 0A\|"; depth:22; http_header; content:!"User-Agent\|3a\|"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Simple Slowloris Flooder"; flow:established,to_server; content:"POST"; http_method; content:"Content-length\|3A\| 5235\|0D 0A\|"; http_header; content:!"User-Agent\|3a\|"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Faked Russian Opera UA without Accept - probable downloader"; flow:established,to_server; content:"User-Agent\|3a 20\|Opera/9.80"; http_header; content:"Edition Yx\|3b\| ru"; fast_pattern; http_header; distance:0; content:!"Accept\|3a\|"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016034; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/floating-social-media-links/fsml-admin.js.php?"; nocase; http_uri; fast_pattern:47,18; content:"wpp="; nocase; http_uri; pcre:"/wpp=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016037; rev:1;) @@ -54685,3 +54853,5751 @@ # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/ssi_examples.php?"; nocase; http_uri; fast_pattern:only; content:"view="; nocase; http_uri; pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016036; rev:1;) +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server; content:"/command?user_id="; fast_pattern; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016047; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Prinimalka Configuration Update Request"; flow:established,to_server; content:"/options?user_id="; http_uri; content:"&version_id="; http_uri; content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port="; http_uri; content:"&ip="; http_uri; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016048; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Prinimalka Prinimalka.py Script In CnC Beacon"; flow:established,to_server; content:"/prinimalka.py/"; http_uri; fast_pattern:only; reference:url,ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/; classtype:trojan-activity; sid:2016049; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server; content:"/list.php?db="; http_uri; fast_pattern; content:"Accept-Language\|3A\| ko-kr"; http_header; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:trojan-activity; sid:2016050; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/write.php"; http_uri; fast_pattern; content:"Accept-Language\|3A\| ko-kr"; http_header; content:"db="; http_client_body; depth:3; content:"&ch="; http_client_body; content:"&name="; http_client_body; content:"&email="; http_client_body; content:"&pw="; http_client_body; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:trojan-activity; sid:2016051; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Requested"; flow:established,to_server; content:"/getmyfile.exe"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016052; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Payload Download Received"; flow:established,to_client; content:".exe.crypted"; http_header; fast_pattern; content:"attachment"; http_header; classtype:trojan-activity; sid:2016053; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - Server Response - Application Error"; flow:established,to_client; content:"X-Powered-By\|3a\| Application Error...."; http_header; classtype:trojan-activity; sid:2016054; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf EK - flsh.html"; flow:established,to_server; urilen:>80; content:"/flsh.html"; http_uri; classtype:trojan-activity; sid:2016056; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CoolEK Font File Download Dec 18 2012"; flow:to_server,established; content:".eot"; http_uri; nocase; fast_pattern:only; pcre:"/\/(?:(?:article\|contact\|new)s\|read\|(?:fo\|tu)r)\/.(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}\|([a-z]{4,20}[-._])?[a-z]{4,20})\.eot\|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.EOT)$/U"; classtype:trojan-activity; sid:2016057; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK - New PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"1.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article\|contact\|new)s\|(?:fo\|tu)r\|public\|read)\/.(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}\|([a-z]{4,20}[-._])?[a-z]{4,20})1\.pdf\|([A-Z]{4,20}[-._])?[A-Z]{4,20}1\.PDF)$/U"; classtype:trojan-activity; sid:2016058; rev:8;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK - Old PDF Exploit - Dec 18 2012"; flow:established,to_server; content:"2.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article\|contact\|new\|sale)s\|(?:fo\|tu)r\|public\|read)\/.(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}\|([a-z]{4,20}[-._])?[a-z]{4,20})2\.pdf\|([A-Z]{4,20}[-._])?[A-Z]{4,20}2\.PDF)$/U"; classtype:trojan-activity; sid:2016059; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK - Jar - Jun 05 2013"; flow:to_server,established; content:".jar"; nocase; fast_pattern:only; http_uri; content:" Java/1"; http_header; pcre:"/Host\x3a[^\r\n]+?\.(pw\|us)(\x3a\d{1,5})?\r$/Hmi"; pcre:"/^(\/[a-z]{3,20})?\/([a-z]{3,20}[-_])+[a-z]{3,20}\.jar$/U"; classtype:trojan-activity; sid:2016060; rev:12;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible WordpressPingbackPortScanner detected "; flow:established,to_server; content:"POST"; http_method; nocase; content:"/xmlrpc.php"; http_uri; content:"pingback.ping"; http_client_body; nocase; threshold: type both, track by_src, seconds 60, count 5; reference:url,seclists.org/bugtraq/2012/Dec/101; reference:url,github.com/FireFart/WordpressPingbackPortScanner/; reference:url,www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/; classtype:web-application-attack; sid:2016061; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Chapro.A Malicious Apache Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"c="; http_client_body; depth:2; content:"&version="; http_client_body; distance:0; content:"&uname="; fast_pattern; http_client_body; distance:0; reference:url,blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a; classtype:trojan-activity; sid:2016062; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH PayPal - Account Phished"; flow:established,to_server; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"browser_version="; http_client_body; content:"operating_system="; fast_pattern; http_client_body; classtype:bad-unknown; sid:2016063; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Popads Exploit Kit font request 32hex digit .eot"; flow:established,to_server; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.eot$/Ui"; classtype:attempted-user; sid:2016064; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Embedded Open Type Font file .eot"; flow:established,to_client; file_data; content:"\|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; offset:8; depth:18; content:"\|4c 50\|"; distance:8; within:2; content:"\|10 00 40 00\|a\|00\|b\|00\|c\|00\|d\|00\|e\|00\|f\|00 00\|"; distance:0; content:"\|00\|R\|00\|e\|00\|g\|00\|u\|00\|l\|00\|a\|00\|r\|00\|"; distance:0; content:"V\|00\|e\|00\|r\|00\|s\|00\|i\|00\|o\|00\|n\|00 20 00\|1\|00 2e 00\|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016065; rev:3;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED CoolEK - Landing Page (2)"; flow:established,to_client; file_data; content:"</title>\|0D 0A\|<link href=\|22\|favicon.ico\|22\| rel=\|22\|shortcut icon\|22\| type=\|22\|image/x-icon\|22\| />"; classtype:trojan-activity; sid:2016066; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Possible BitCoin Miner User-Agent (miner)"; flow:established,to_server; content:"miner"; nocase; http_header; fast_pattern:only; pcre:"/User-Agent\x3A[^\r\n]miner[^a-z]/Hi"; reference:url,abcpool.co/mining-software-comparison.php; classtype:trojan-activity; sid:2016067; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY poclbm BitCoin miner"; flow:established,to_server; content:"User-Agent\|3a\| poclbm/"; nocase; http_header; reference:url,abcpool.co/mining-software-comparison.php; classtype:trojan-activity; sid:2016068; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE suspicious User-Agent (vb wininet)"; flow:established,to_server; content:"User-Agent\|3a 20\|vb\|20 20 20\|wininet\|0d 0a\|"; http_header; classtype:bad-unknown; sid:2016069; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .jar file request"; flow:established,to_server; urilen:>44; content:".jar"; offset:38; http_uri; content:"Java/1."; http_header; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016071; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO 20 Dec 12 - .pdf file request"; flow:established,to_server; urilen:>44; content:".pdf"; offset:38; http_uri; pcre:"/^\/[a-zA-Z0-9]{25,35}\/\d{9,10}\/[a-z]{4,12}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016072; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?\|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+\|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Skill.gk User-Agent"; flow:established,to_server; content:"\|3b 20 3b 20\|"; http_header; pcre:"/User-Agent[^\r\n]+(MSIE[^\r\n](\x3b\x20){2}\|(\x3b\x20){2}[^\r\n]MSIE)/iH"; classtype:trojan-activity; sid:2016074; rev:4;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Video Lead Form plugin errMsg parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=video-lead-form"; nocase; http_uri; fast_pattern:5,15; content:"errMsg="; nocase; http_uri; pcre:"/errMsg\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/118466/WordPress-Video-Lead-Form-0.5-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016076; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery albumid parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plist.php?albumid="; nocase; http_uri; pcre:"/albumid\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html; classtype:web-application-attack; sid:2016077; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Amateur Photographer Image Gallery file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/force-download.php?file="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/117463/Amateur-Photographers-Image-Gallery-0.9a-XSS-SQL-Injection.html; classtype:web-application-attack; sid:2016078; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS simple machines forum include parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"action=admin"; nocase; http_uri; content:"include="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/116709/SMF-2.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016079; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Cloudsafe365 file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/cloudsafe365-for-wp/admin/editor/cs365_edit.php?"; nocase; http_uri; fast_pattern:19,20; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/115972/WordPress-Cloudsafe365-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016080; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Zenphoto date parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/zp-core/zp-extensions/zenpage/admin-news-articles.php?"; nocase; http_uri; content:"date="; nocase; http_uri; pcre:"/date\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117067/Zenphoto-1.4.3.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016081; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanageredit page XSS Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=tokenmanageredit"; nocase; http_uri; fast_pattern:5,16; content:"tid="; nocase; http_uri; pcre:"/tid\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016082; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Token Manager Plugin tokenmanagertypeedit page XSS Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=tokenmanagertypeedit"; nocase; http_uri; fast_pattern:5,20; content:"tid="; nocase; http_uri; pcre:"/tid\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/116837/Wordpress-Plugin-Token-Manager-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016083; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0; content:".SetShapeNodeType("; nocase; distance:0; reference:url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html; classtype:attempted-user; sid:2016084; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog arbitrary code execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; nocase; distance:0; content:"ShowPropertiesDialog"; nocase; distance:0; reference:url,packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html; classtype:attempted-user; sid:2016085; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SonicWALL SonicOS searchStr XML Tag Script Insertion Attempt"; flow:established,to_server; content:"POST"; http_method; content:"dbInfo"; nocase; http_client_body; content:"dbInfoRequest"; nocase; http_client_body; content:"searchStr"; nocase; http_client_body; pcre:"/(\x3c\|\x253c)dbInfo(\x3e\|\x253e)[\r\n\s]?(\x3c\|\x253c)dbInfoRequest(\x3e\|\x253e).+?(\x3c\|\x253c)searchStr(\x3e\|\x253e)((?!(\x3c\|\x253c)(\/\|\x252f)searchStr(\x3e\|\x253e)).)+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=)).+?(\x3c\|\x253c)(\/\|\x252f)searchStr(\x3e\|\x253e)/Psi"; reference:url,securelist.com/en/advisories/51615; reference:url,seclists.org/bugtraq/2012/Dec/110; classtype:web-application-attack; sid:2016086; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Unk_Banker - Check In"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent\|3a\| Opera/11.1"; http_header; content:"&action=check"; http_client_body; content:"&id="; http_client_body; content:"&version2="; http_client_body; classtype:trojan-activity; sid:2016087; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN SmokeLoader - Init 0x"; flow:established,to_client; content:"Init\|3a\| 0x"; http_header; classtype:trojan-activity; sid:2016088; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV checkin"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/5.0 (compatible\|3b\| MSIE 9.0\|3b\| Windows NT 7.1\|3b\| Trident/5.0)\|0d 0a\|Host\|3a20\|"; depth:83; http_header; fast_pattern:47,20; content:!"Accept\|3a 20\|"; http_header; reference:md5,dd4d18c07e93c34d082dab57a38f1b86; reference:md5,5a864ccfeee9c0c893cfdc35dd8820a6; classtype:trojan-activity; sid:2016089; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange /in.php?q="; flow:established,to_server; content:"/in.php?q="; http_uri; classtype:trojan-activity; sid:2016090; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hostile Gate landing seen with pamdql/Sweet Orange base64"; flow:established,to_server; content:"KAhFXlx9"; http_uri; pcre:"/\.php\?[a-z]=.{2}KAhFXlx9.{2}Oj[^&]+$/U"; classtype:trojan-activity; sid:2016091; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:trojan-activity; sid:2016092; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Updtkiller Sending Device Information"; flow:established,to_server; content:"/phone_getinfokou_android.php"; http_uri; reference:url,www.symantec.com/ja/jp/security_response/writeup.jsp?docid=2012-082308-1823-99&tabid=2; classtype:trojan-activity; sid:2016094; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Dexter Infostealer CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"page="; http_client_body; depth:5; content:"&spec="; distance:0; http_client_body; content:"&opt="; distance:0; http_client_body; content:"var="; distance:0; http_client_body; content:"val="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html; classtype:trojan-activity; sid:2016095; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent\|3A\|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; content:"&comp="; distance:0; content:"&src="; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:trojan-activity; sid:2016096; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown - Loader - Check .exe Updated"; flow:established,to_server; urilen:<10; content:"If-Modified-Since\|3a\| "; http_header; content:"If-None-Match\|3a\| "; http_header; content:".exe"; http_uri; fast_pattern; classtype:trojan-activity; sid:2016097; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Inbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1\|3b\|"; classtype:bad-unknown; sid:2016098; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Drupal Mass Injection Campaign Outbound"; flow:established,from_server; file_data; content:"if (i5463 == null) { var i5463 = 1\|3b\|"; classtype:bad-unknown; sid:2016099; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Request to Wordpress W3TC Plug-in dbcache Directory"; flow:established,to_server; content:"/wp-content/w3tc/dbcache"; http_uri; nocase; reference:url,seclists.org/fulldisclosure/2012/Dec/242; classtype:trojan-activity; sid:2016100; rev:1;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 131.253.18.0/24"; content:"\|00 01 00 01\|"; content:"\|00 04 83 fd 12\|"; distance:4; within:5; classtype:trojan-activity; sid:2016101; rev:2;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 199.2.137.0/24"; content:"\|00 01 00 01\|"; content:"\|00 04 c7 02 89\|"; distance:4; within:5; classtype:trojan-activity; sid:2016102; rev:2;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply Sinkhole - Microsoft - 207.46.90.0/24"; content:"\|00 01 00 01\|"; content:"\|00 04 cf 2e 5a\|"; distance:4; within:5; classtype:trojan-activity; sid:2016103; rev:2;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET TROJAN DNS Reply for unallocated address space - Potentially Malicious 1.1.1.0/24"; content:"\|00 01 00 01\|"; content:"\|00 04 01 01 01\|"; distance:4; within:5; classtype:trojan-activity; sid:2016104; rev:3;) + +# +##alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"\|00 01 00 01\|"; content:"\|00 04 5f 82 0e 20\|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page"; flow:established,from_server; file_data; content:"<applet"; content:"site.A.class"; within:300; classtype:trojan-activity; sid:2016106; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Topic EK Requesting Jar"; flow:established,to_server; content:".php?exp="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; content:" Java/1"; http_header; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016107; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016108; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP-Property Plugin uploadify.php Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/wp-property/third-party/uploadify/uploadify.php"; http_uri; nocase; content:"Filedata"; nocase; http_client_body; reference:url,www.securityfocus.com/bid/53787/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/53787.php; classtype:web-application-attack; sid:2016109; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Download antivirus-installer.exe"; flow:to_server,established; content:"/antivirus-install.exe"; http_uri; classtype:trojan-activity; sid:2016110; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_header; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"\|22 2a\|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016112; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"\|fb 67 1f 49\|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS section parameter XSS Attempt"; flow:established,to_server; content:"/?cmd=new_section"; nocase; http_uri; fast_pattern; content:"section="; nocase; http_uri; pcre:"/section\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016114; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS index.php file XSS Attempt"; flow:established,to_server; content:"/index.php/Child_Page?"; nocase; http_uri; content:"cmd=new_section"; nocase; http_uri; fast_pattern; content:"section="; nocase; http_uri; pcre:"/section\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016115; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS gpEasy CMS key parameter XSS Attempt"; flow:established,to_server; content:"/index.php/Admin_Theme_Content?"; nocase; http_uri; content:"cmd=edittext"; nocase; http_uri; fast_pattern; content:"key="; nocase; http_uri; pcre:"/key\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,1337day.com/exploit/19949; classtype:web-application-attack; sid:2016116; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Mailing List plugin wpabspath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/mailz/lists/config/config.php?"; fast_pattern:20,20; nocase; http_uri; content:"wpabspath="; nocase; http_uri; pcre:"/wpabspath=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/105236/WordPress-Mailing-List-1.3.2-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016117; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wiki Web Help configpath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/pages/links.php?"; nocase; http_uri; content:"configpath="; nocase; http_uri; pcre:"/configpath=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116202/Wiki-Web-Help-0.3.11-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016120; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Relocate Upload plugin abspath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/relocate-upload/relocate-upload.php?"; nocase; http_uri; fast_pattern:19,17; content:"ru_folder="; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/105239/WordPress-Relocate-Upload-0.14-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016121; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LogAnalyzer asktheoracle.php file XSS Attempt"; flow:established,to_server; content:"/asktheoracle.php?"; nocase; http_uri; fast_pattern; content:"type="; nocase; http_uri; content:"oracle_query="; nocase; http_uri; pcre:"/oracle\_query\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/119015/Loganalyzer-3.6.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016122; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Myflash path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/myflash/myextractXML.php"; nocase; http_uri; fast_pattern:19,9; content:"path="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/118400/WordPress-Myflash-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016123; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; flow:established,to_server; content:"/clientregister.php?type="; http_uri; content:"&uniqid="; http_uri; content:"&winver="; http_uri; content:"&compusername="; http_uri; content:"&compnetname="; http_uri; classtype:trojan-activity; sid:2016124; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon"; flow:established,to_server; content:"/status.php?cliver="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; classtype:trojan-activity; sid:2016125; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&uniqid="; http_uri; content:"&langid="; http_uri; content:"&ver="; http_uri; content:"bitensiteler="; http_uri; classtype:trojan-activity; sid:2016126; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; content:".php?type="; http_uri; content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri; content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri; classtype:trojan-activity; sid:2016127; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; classtype:trojan-activity; sid:2016128; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_gmf/Styx EK - fnts.html "; flow:established,to_server; content:"/fnts.html"; http_uri; classtype:trojan-activity; sid:2016129; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Stabuniq Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&varname="; http_client_body; content:"&comp="; http_client_body; content:"&ver="; http_client_body; content:"&xid="; http_client_body; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016130; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Window Location CVE-2012-4792 EIP"; flow:established,from_server; file_data; content:"<form"; nocase; content:"button"; nocase; content:"CollectGarbage("; nocase; fast_pattern:only; content:".location"; nocase; pcre:"/^[\r\n\s]=[\r\n\s]unescape\(\s[\x22\x27][\\%]u/Ri"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016132; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Escaped Unicode Char in Location CVE-2012-4792 EIP % Hex Encode"; flow:established,from_server; file_data; content:"%2e%6c%6f%63%61%74%69%6f%6e%20%3d%20%75%6e%65%73%63%61%70%65%28%22%25%75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016134; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS CFR DRIVEBY CVE-2012-4792 DNS Query for C2 domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|provide\|08\|yourtrap\|03\|com\|00\|"; fast_pattern; nocase; distance:0; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016135; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern:only; content:"/%E0%AC%B0%E0%B0%8C"; http_raw_uri; content:"MSIE 8.0\|3b\|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (1)"; flow:established,to_server; content:"/%E0%B4%8C%E1%88%92"; fast_pattern:only; content:"/%E0%B4%8C%E1%88%92"; http_raw_uri; content:"MSIE 8.0\|3b\|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn\|3a\|schemas-microsoft-com\|3a\|time"; nocase; content:"#default#time2"; content:"<t\|3a\|ANIMATECOLOR"; nocase; fast_pattern:only; content:"CollectGarbage"; nocase; content:"try"; nocase; distance:0; content:".values"; nocase; distance:0; pcre:"/^[\r\n\s\+]?=.+?\}[\r\n\s]?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TR/Spy.55808.201"; flow:to_server,established; content:"POST"; http_method; content:"?imageid="; http_uri; content:"&type="; http_uri; content:"User-Agent\|3a 20\|iexplorer\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2016139; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (iexplorer)"; flow:to_server,established; content:"User-Agent\|3a 20\|iexplorer\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2016140; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Exectuable Download from dotted-quad Host"; flow:established,to_server; content:".exe"; http_uri; nocase; content:".exe HTTP/1."; fast_pattern:only; content:"Host\|3A 20\|"; http_header; content:"\|2E\|"; http_header; distance:1; within:3; content:"\|2E\|"; http_header; distance:1; within:3; content:"\|2E\|"; http_header; distance:1; within:3; pcre:"/^Host\x3A\x20[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}(\x3A\|\x0D\x0A)/Hmi"; classtype:trojan-activity; sid:2016141; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (2)"; flow:established,to_server; content:"Java/1"; http_header; content:"&partners="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016142; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"\|3d 3b\|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016143; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injected iframe leading to Redkit Jan 02 2013"; flow:established,from_server; file_data; content:"iframe name="; pcre:"/^[\r\n\s][\w]+[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2 src=http\|3a\|//"; within:71; fast_pattern:48,20; pcre:"/^[^\r\n\s>]+\/[a-z]{4,5}\.html\>\<\/iframe\>/R"; classtype:trojan-activity; sid:2016144; rev:2;) + +# +alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PTUNNEL OUTBOUND"; itype:8; icode:0; content:"\|D5 20 08 80\|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016145; rev:2;) + +# +alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PTUNNEL INBOUND"; itype:0; icode:0; content:"\|D5 20 08 80\|"; depth:4; reference:url,github.com/madeye/ptunnel; reference:url,cs.uit.no/~daniels/PingTunnel/#protocol; classtype:protocol-command-decode; sid:2016146; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Request for fake postal receipt from e-mail link"; flow:established,to_server; content:".php?php=receipt"; http_uri; pcre:"/^\/[A-Z]+\.php\?php=receipt$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016147; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Plugin Advanced Custom Fields Remote File Inclusion"; flow:established,to_server; content:"/wp-content/plugins/advanced-custom-fields/core/actions/export.php"; nocase; http_uri; fast_pattern:20,20; content:"abspath="; nocase; http_client_body; pcre:"/abspath=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Pi"; classtype:attempted-user; sid:2016148; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP RAT"; flow:established,to_client; file_data; content:"<table id=\"filetable\" class=\"filelist\" cellspacing=\"1px\" cellpadding=\"0px\">"; classtype:attempted-user; sid:2016151; rev:2;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSP File Admin"; flow:established,to_client; file_data; content:"<h2>(L)aunch external program</h2>"; classtype:attempted-user; sid:2016152; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - JSP File Admin - POST Structure - dir"; flow:established,to_server; content:"POST"; http_method; content:"dir="; http_client_body; content:"&sort="; http_client_body; content:"&command="; http_client_body; content:"&Submit="; http_client_body; classtype:attempted-user; sid:2016153; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible TURKTRUST Spoofed Google Cert"; flow:established,from_server; content:"\|16 03\|"; depth:2; content:".EGO.GOV.TR"; nocase; fast_pattern:only; content:".google.com"; classtype:policy-violation; sid:2016154; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) - Font Exploit - 32HexChar.eot"; flow:established,to_server; urilen:>36; content:".eot"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\.eot$/U"; classtype:attempted-user; sid:2016155; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mahara query Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/group/members.php?"; nocase; http_uri; fast_pattern:only; content:"id="; nocase; http_uri; content:"query="; nocase; http_uri; pcre:"/query\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,securityfocus.com/bid/56718; classtype:web-application-attack; sid:2016156; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHM filtername Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/mail/filters/editfilter.html?"; nocase; http_uri; content:"account="; nocase; http_uri; content:"filtername="; nocase; http_uri; pcre:"/filtername\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|error\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,securityfocus.com/bid/57061; classtype:web-application-attack; sid:2016157; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Google Doc Embedder plugin file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/google-document-embedder/libs/pdf.php?"; nocase; http_uri; fast_pattern:20,20; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,secunia.com/advisories/50832; classtype:web-application-attack; sid:2016158; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simple Machines Forum ssi_function parameter path disclosure vulnerability"; flow:established,to_server; content:"/SSI.php?ssi_function="; nocase; http_uri; reference:url,packetstormsecurity.com/files/119240/Simple-Machines-Forum-2.0.3-Path-Disclosure.html; classtype:web-application-attack; sid:2016159; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of green Remote File Inclusion Attempt"; flow:established,to_server; content:"/style/green/get_templet.php?"; nocase; http_uri; content:"MyStyle[StylePath]="; nocase; http_uri; pcre:"/MyStyle\[StylePath\]=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016163; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteGo get_templet.php of blue Remote File Inclusion Attempt"; flow:established,to_server; content:"/style/blue/get_templet.php?"; nocase; http_uri; content:"MyStyle[StylePath]="; nocase; http_uri; pcre:"/MyStyle\[StylePath\]=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,packetstormsecurity.com/files/116412/SiteGo-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016164; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS cPanel dir Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/x3/files/dir.html?"; nocase; http_uri; fast_pattern; content:"showhidden="; nocase; http_uri; content:"dir="; nocase; http_uri; pcre:"/dir\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|error\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,securityfocus.com/bid/57064; classtype:web-application-attack; sid:2016165; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit PluginDetect FromCharCode Jan 04 2013"; flowbits:set,et.exploitkitlanding; flow:established,to_client; file_data; content:"80,108,117,103,105,110,68,101,116,101,99,116"; distance:0; classtype:attempted-user; sid:2016166; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Poison Ivy.2013Jan04 victim beacon"; flow:established,to_server; dsize:48; content:"\|1e de 5c f1 1f f6 94 12 d1 fa f1 42 8c fe 8d f7\|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016167; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Poison Ivy.2013Jan04 server response"; flow:established,from_server; dsize:48; content:"\|48 3A E9 78 C0 B9 2E 3F 9A 49 C5 56 65 5F CE 22\|"; offset:16; depth:16; reference:md5,62f20326e0f08c0786df6886f0427ea7; classtype:trojan-activity; sid:2016168; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:"/cb.php?action="; http_uri; classtype:bad-unknown; sid:2016169; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CVE-2012-4792 EIP in URI (2)"; flow:established,to_server; content:"/%E0%B4%8C%E1%82%AB"; fast_pattern:only; content:"/%E0%B4%8C%E1%82%AB"; http_raw_uri; content:"MSIE 8.0\|3b\|"; http_header; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016170; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; classtype:trojan-activity; sid:2016171; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic -POST To file.php w/Extended ASCII Characters"; flow:established,to_server; content:"POST"; http_method; content:"/file.php"; http_uri; content:!"Referer: "; http_header; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/P"; classtype:bad-unknown; sid:2016172; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic -POST To gate.php w/Extended ASCII Characters"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:!"Referer: "; http_header; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}/P"; classtype:bad-unknown; sid:2016173; rev:7;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY RedKit - Landing Page"; flow:established,to_client; file_data; content:".jar"; nocase; fast_pattern; content:".pdf"; nocase; content:"Msxml2.XMLHTTP"; nocase; pcre:"/\/[0-9]{3}\.jar/"; pcre:"/\/[0-9]{3}\.pdf/"; classtype:trojan-activity; sid:2016174; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; content:"POST"; http_method; content:"\|0d 0a\|Content-Type\|3a 20\|"; pcre:"/^(?:application\/(?:x-)?\|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"yaml"; distance:0; nocase; http_client_body; pcre:"/<[^>]\stype\s=\s([\x22\x27])yaml\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; content:"POST"; http_method; content:"\|0d 0a\|Content-Type\|3a 20\|"; pcre:"/^(?:application\/(?:x-)?\|text\/)xml/R"; content:" type="; http_client_body; nocase; fast_pattern; content:"symbol"; distance:0; nocase; http_client_body; pcre:"/<[^>]\stype\s=\s([\x22\x27])symbol\1/Pi"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FakeAV security_scanner.exe"; flow:established,to_client; content:"Content-Disposition\|3a\| "; http_header; content:"filename=\|22\|security_scanner.exe\|22\|"; fast_pattern:9,20; http_header; classtype:trojan-activity; sid:2016177; rev:1;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 1"; content:"\|30\|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"\|02\|"; distance:1; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"\|04 00\|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016178; rev:2;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 2"; content:"\|30\|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"\|02\|"; distance:-129; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"\|04 00\|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016179; rev:2;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 3"; content:"\|30\|"; depth:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"\|02\|"; distance:-129; within:1; byte_test:1,!&,0x80,0,relative,big; byte_jump:1,0,relative; content:"\|04 00\|"; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016180; rev:2;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP missing community string attempt 4"; content:"\|30\|"; depth:1; byte_test:1,!&,0x80,0,relative,big; content:"\|02\|"; distance:1; within:1; byte_test:1,&,0x80,0,relative,big; byte_jump:1,0,relative; content:"\|04 00\|"; distance:-129; within:2; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2016181; rev:2;) + +# +alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion componentutils access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/componentutils"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016182; rev:4;) + +# +alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion adminapi access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/adminapi"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016183; rev:3;) + +# +alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion administrator access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/CFIDE/administrator"; http_uri; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016184; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Ransomware Checkin"; flow:established,to_server; content:"/index.html"; http_uri; content:"POST"; http_method; content:!"User-Agent\|3a\| "; http_header; content:"application/octet-stream\|0d 0a 0d 0a\|"; http_client_body; content:"/"; http_client_body; distance:2; within:1; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2016185; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Tobfy.Ransomware CnC Request - status.php"; flow:established,to_server; content:"/status.php"; http_uri; content:".my-files-download.ru"; http_header; pcre:"/Host\x3A\x20[^\r\n]\x2Emy\x2Dfiles\x2Ddownload\x2Eru/H"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:trojan-activity; sid:2016186; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Tobfy.Ransomware Invalid URI CnC Request - "; flow:established,to_server; content:"/.ru\|60\|utr/qiq"; http_uri; content:".my-files-download.ru"; http_header; pcre:"/Host\x3A\x20[^\r\n]\x2Emy\x2Dfiles\x2Ddownload\x2Eru/H"; reference:url,blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html; classtype:trojan-activity; sid:2016187; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential Zeus Binary Download - Specific PE Sections Structure"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE\|00 00\|"; distance:0; content:".text"; distance:0; content:"m13"; distance:0; content:"m12"; distance:0; content:"m11"; distance:0; content:"m10"; distance:0; content:"m9"; distance:0; content:"m8"; distance:0; content:"m7"; distance:0; content:"m6"; distance:0; content:"m5"; distance:0; content:"m4"; distance:0; content:"m3"; distance:0; content:".data"; distance:0; content:".data2"; distance:0; reference:url,ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf; classtype:trojan-activity; sid:2016188; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Midhos/Medfos downloader"; flow:established,to_server; content:"/upload/fid="; http_uri; content:"AAAAAAAAAAA"; http_uri; content:!"Accept\|3a 20\|"; http_header; content:!"Connection\|3a 20\|"; http_header; content:"Host\|3a 20\|megaupload.com\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b\| MSIE 6.0"; http_header; classtype:trojan-activity; sid:2016189; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=\|22\|000"; content:"height=\|22\|000"; classtype:bad-unknown; sid:2016190; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"<div id=\|22\|heap_allign\|22\|></div>"; classtype:bad-unknown; sid:2016191; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"<title>Please wait...</title>"; nocase; content:"<div id="; content:"></div><div id="; distance:5; within:16; classtype:bad-unknown; sid:2016192; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Landing Page Requested - /?Digit"; flow:established,to_server; urilen:9<>16; content:"/?"; http_uri; depth:13; pcre:"/^\/[a-z0-9]{6,10}\/\?[0-9]{1,2}$/Ui"; classtype:bad-unknown; sid:2016193; rev:6;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress NextGEN Gallery plugin test-head parameter XSS Attempt"; flow:established,to_server; content:"/wp-content/plugins/nextgen-gallery/nggallery.php?"; nocase; http_uri; fast_pattern:19,20; content:"test-head="; nocase; http_uri; pcre:"/test\-head\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/119360/WordPress-NextGEN-Gallery-1.9.10-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016194; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Browser Rejector Plugin wppath Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/browser-rejector/rejectr.js.php?"; nocase; http_uri; fast_pattern:19,20; content:"wppath="; nocase; http_uri; pcre:"/wppath=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51739/; classtype:web-application-attack; sid:2016195; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Dell OpenManage Server Administrator topic parameter XSS Attempt"; flow:established,to_server; content:"/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?"; nocase; http_uri; content:"topic="; nocase; http_uri; pcre:"/topic\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,kb.cert.org/vuls/id/950172; classtype:web-application-attack; sid:2016196; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Free Blog Arbitrary File Deletion Attempt"; flow:established,to_server; content:"/up.php?del="; nocase; http_uri; fast_pattern:only; content:"del="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.com/files/119385/Free-Blog-1.0-Shell-Upload-Arbitrary-File-Deletion.html; classtype:web-application-attack; sid:2016198; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Adiscon LogAnalyzer viewid Cross-Site Scripting Attempt"; flow:established,to_server; content:"/src/userchange.php?"; nocase; http_uri; content:"op=changeview"; nocase; http_uri; fast_pattern; content:"viewid="; nocase; http_uri; pcre:"/viewid\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,secunia.com/advisories/51816/; classtype:web-application-attack; sid:2016199; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyBrowser tinybrowser.php file Script Execution Attempt"; flow:established,to_server; content:"/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?"; nocase; http_uri; content:"type="; nocase; http_uri; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016200; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyBrowser edit.php file Script Execution Attempt"; flow:established,to_server; content:"/js/tiny_mce/plugins/tinybrowser/edit.php?"; nocase; http_uri; content:"type="; nocase; http_uri; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016201; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyBrowser upload.php file Script Execution Attempt"; flow:established,to_server; content:"/js/tiny_mce/plugins/tinybrowser/upload.php?"; nocase; http_uri; content:"type="; nocase; http_uri; reference:url,securityfocus.com/bid/57230/; classtype:web-application-attack; sid:2016202; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Gallery Plugin filename_1 Parameter Remote File Access Attempt"; flow:established,to_server; content:"/wp-content/plugins/gallery-plugin/gallery-plugin.php?"; nocase; http_uri; fast_pattern:33,20; content:"filename_1="; nocase; http_uri; pcre:"/filename\_1=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,securityfocus.com/bid/57256/; classtype:web-application-attack; sid:2016203; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Fareit Checkin 2"; flow:to_server,established; content:"POST "; depth:5; content:"/forum/viewtopic.php"; within:20; content:"Windows 98\|0d 0a 0d 0a\|"; fast_pattern:only; content:"Content-Type\|3a\| application/octet-stream"; reference:md5,10baa5250610fc2b5b2cdf932f2007c0; classtype:trojan-activity; sid:2016550; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby"; flow:established,to_server; content:" type"; nocase; fast_pattern; content:"yaml"; distance:0; nocase; content:"!ruby"; nocase; distance:0; pcre:"/<(?P<tname>[^\s]+)[^>]?\stype\s=\s(?P<q>[\x22\x27])yaml(?P=q)((?!<\/(?P=tname)).+?)!ruby/si"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016204; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zemra.DDoS.Bot Variant CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/telnet_cmd.php"; fast_pattern; http_uri; content:"User-Agent\|3A\| Opera/9.61\|0D 0A\|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; distance:0; content:"&c="; http_client_body; distance:0; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-1.html; reference:url,thegoldenmessenger.blogspot.de/2012/09/2-disclosure-of-interesting-botnet-part-2.html; classtype:trojan-activity; sid:2016205; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Iyus.H Initial CnC Beacon"; flow:established,to_server; content:"/run1/pr.php?p1="; fast_pattern:only; http_uri; content:"&p2="; http_uri; content:"&id="; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:trojan-activity; sid:2016206; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Iyus.H work_troy.php CnC Request"; flow:established,to_server; content:"/work_troy.php?id="; fast_pattern:only; http_uri; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Iyus-H/detailed-analysis.aspx; classtype:trojan-activity; sid:2016207; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader Secondary Download Request - W32/Hupigon.Backdoor Likely Secondary Payload"; flow:established,to_server; content:"/pir/bfg.php?dll="; http_uri; fast_pattern:only; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; sid:2016208; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/CoolPaperLeak Sending Information To CnC"; flow:established,to_server; content:"POST"; http_method; content:"/geturl.aspx?email="; http_uri; content:"&lat="; http_uri; content:"&lon="; http_uri; content:"&mobile="; http_uri; content:"&group="; http_uri; reference:url,www.symantec.com/connect/blogs/androidcoolpaperleak-million-download-baby; classtype:trojan-activity; sid:2016209; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; content:".pdf"; http_uri; pcre:"/\x2F[0-9]{3}\.pdf$/U"; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:trojan-activity; sid:2016210; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Karagany.Downloader CnC Beacon"; flow:established,to_server; urilen:6; content:".htm"; http_uri; content:"User-Agent\|3A 20\|Mozilla/5.0 (compatible\|3B\| MSIE 9.0\|3B\| Windows NT 6.0\|3B\| Trident/5.0)"; fast_pattern:47,20; http_header; pcre:"/^\x2F[a-z]{1}\x2Ehtm$/U"; threshold: type limit, track by_src, seconds 60, count 1; reference:url,malwaremustdie.blogspot.co.uk/2013/01/once-upon-time-with-cool-exploit-kit.html; reference:url,www.fortiguard.com/latest/av/4057936; reference:md5,92899c20da4d9db5627af89998aadc58; classtype:trojan-activity; sid:2016211; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BroBot POST"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent\|3a 20\|Mozilla/5.0 Firefox/3.6.12\|0d 0a\|"; http_header; fast_pattern:20,20; pcre:"/^(?:c(?:omment\|_id)\|m(?:jdu)?)=/P"; threshold: type limit, count 1, seconds 300, track by_src; classtype:web-application-attack; sid:2016212; rev:2;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80\|3A\|!08\|3A\|!!7\|3A\|!03\|3A\|!05\|3A\|!!0\|3A\|68\|3A\|!0!\|3A\|!!6\|3A\|!0!\|3A\|99\|3A\|!!6"; classtype:trojan-activity; sid:2016213; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/nt/th"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/nt/th"; http_uri; content:!"User-Agent\|3a\| "; http_header; pcre:"/\/cgi-bin\/nt\/th$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016214; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/nt/sk"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/nt/sk"; http_uri; content:!"User-Agent\|3a\| "; http_header; pcre:"/\/cgi-bin\/nt\/sk$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016215; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/dllhost/ac"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/dllhost/ac"; http_uri; content:!"User-Agent\|3a\| "; http_header; pcre:"/\/cgi-bin\/dllhost\/ac$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016216; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/ms/check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/ms/check"; http_uri; content:!"User-Agent\|3a\| "; http_header; pcre:"/\/cgi-bin\/ms\/check$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016217; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/ms/flush"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/ms/flush"; http_uri; content:!"User-Agent\|3a\| "; http_header; pcre:"/\/cgi-bin\/ms\/flush$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016218; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/win/wcx"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/win/wcx"; http_uri; content:!"User-Agent\|3a\| "; http_header; pcre:"/\/cgi-bin\/win\/wcx$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016219; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Red October/Win32.Digitalia Checkin cgi-bin/win/cab"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/cgi-bin/win/cab"; http_uri; content:!"User-Agent\|3a\| "; http_header; pcre:"/\/cgi-bin\/win\/cab$/Ui"; reference:url,www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation; classtype:trojan-activity; sid:2016220; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download"; flow:established,to_server; content:"/pics/new.png"; http_uri; fast_pattern:only; pcre:"/\/(?:(?:article\|contact\|new)s\|(?:fo\|tu)r\|public\|read)\/pics\/new\.png$/U"; classtype:trojan-activity; sid:2016221; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN GET with HTML tag in start of URI seen with PHPMyAdmin scanning"; flow:established,to_server; content:"<title>"; http_uri; depth:7; content:"GET"; http_method; classtype:web-application-attack; sid:2016222; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Red October proxy CnC 1"; flow:to_client,established; content:"ETag\|3a 20 22\|8c0bf6-ba-4b975a53906e4\|22\|"; http_header; classtype:trojan-activity; sid:2016224; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Red October proxy CnC 2"; flow:to_client,established; content:"ETag\|3a 20 22\|1c824e-ba-4bcd8c8b36340\|22\|"; http_header; classtype:trojan-activity; sid:2016225; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Red October proxy CnC 3"; flow:to_client,established; content:"ETag\|3a 20\|W/\|22\|186-1333538825000\|22\|"; http_header; classtype:trojan-activity; sid:2016226; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Jar"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"B.class"; fast_pattern:only; pcre:"/[^a-zA-Z0-9_\-.]B\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; content:!"Browser.class"; classtype:attempted-user; sid:2016228; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Jar Download"; flow:established,to_server; content:".php"; http_uri; content:"/"; http_uri; distance:-6; within:1; pcre:"/\/[a-f0-9]{16}([a-f0-9]{16})?\/[a-z]\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016229; rev:6;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Age Verification plugin redirect_to Parameter URI Redirection"; flow:established,to_server; content:"/wp-content/plugins/age-verification/age-verification.php?"; nocase; fast_pattern:20,20; http_uri; content:"redirect_to="; nocase; http_uri; pcre:"/redirect\_to=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,securityfocus.com/bid/51357/; classtype:web-application-attack; sid:2016230; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cartweaver 3 Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/helpfiles/AdminHelp.php?"; nocase; http_uri; content:"helpFileName="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.com/files/117370/Cartweaver-3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016231; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_bit controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bit"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.com/files/118943/Joomla-Bit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016232; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_ztautolink controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_ztautolink"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.com/files/118944/Joomla-ZtAutoLink-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016233; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mu Perspectives Cms id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/site_news.php?id="; nocase; http_uri; pcre:"/id\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/116148/Mu-Perspectives-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016234; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016236; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung Kies ActiveX PrepareSync method Buffer overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EA8A3985-F9DF-4652-A255-E4E7772AFCA8"; nocase; distance:0; content:".PrepareSync"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119423/Samsung-Kies-2.5.0.12114_1-Buffer-Overflow.html; classtype:attempted-user; sid:2016237; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Incapsula component Security.php XSS Attempt"; flow:established,to_server; content:"/com_incapsula/assets/tips/en/Security.php?"; nocase; http_uri; fast_pattern; content:"token="; nocase; http_uri; pcre:"/token\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016238; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Incapsula component Performance.php file XSS Attempt"; flow:established,to_server; content:"/com_incapsula/assets/tips/en/Performance.php?"; nocase; http_uri; fast_pattern; content:"token="; nocase; http_uri; pcre:"/token\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/119364/Joomla-Incapsula-1.4.6_b-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016239; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"KeyHelp.KeyScript"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016235; rev:2;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016242; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request for FakeAV Binary /two/data.exe Infection Campaign"; flow:established,to_server; content:"/index/two/data.exe"; http_uri; classtype:trojan-activity; sid:2016243; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Symlink_Sa"; flow:established,to_client; file_data; content:"<title>Symlink_Sa"; classtype:bad-unknown; sid:2016244; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<b>Software\|3a\|"; content:"<b>uname -a\|3a\|"; content:"<b>uid="; classtype:bad-unknown; sid:2016245; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"\|22\|pdfx.ht\|5C\|x6dl\|22\|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (1)"; flow:established,to_server; content:"/Gobon.class"; http_uri; content:" Java/"; http_header; classtype:bad-unknown; sid:2016249; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (2)"; flow:established,to_server; content:"/Runs.class"; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2016250; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown POST of Windows PW Hashes to External Site"; flow:established,to_server; content:"POST"; http_method; content:"X-ID\|3a\|"; http_header; content:"PSTORE\|3a\|"; http_client_body; classtype:trojan-activity; sid:2016252; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown POST of System Info"; flow:established,to_server; content:"POST"; http_method; content:"X-ID\|3a\|"; http_header; content:"User is SYSTEM\|3a\|"; http_client_body; classtype:trojan-activity; sid:2016253; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Poison Ivy Variant Jan 24 2013"; flow:established,from_server; dsize:48; content:"\|52 13 34 da 18 3d 2f 45 a2 09 93 52 01 23 51 e3\|"; offset: 16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016270; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Poison Ivy Variant Jan 24 2013"; flow:established,to_server; dsize:48; content:"\|84 a5 f0 be 11 da ce 7e c9 4a 9a af 40 24 8a f5\|"; offset:16; depth:16; reference:url,blog.avast.com/2013/01/22/reporters-without-borders-website-misused-in-wateringhole-attack/; classtype:trojan-activity; sid:2016271; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bilakip.A Downloader API Ping CnC Beacon"; flow:established,to_server; content:"/api/ping?stage="; http_uri; content:"&uid="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:trojan-activity; sid:2016273; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bilakip.A Downloader Viruslist Download For Populating FakeAV"; flow:established,to_server; content:"/viruslist/?uid="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?id=50100&name=TROJ_DLOADR.BKM&language=au; classtype:trojan-activity; sid:2016274; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Can be Used to Spawn Shell)"; flow:established,to_server; content:"POST"; http_method; content:"/script"; http_uri; nocase; pcre:"/\/script\/?$/Ui"; content:"script"; http_client_body; nocase; content:"Submit"; nocase; http_client_body; content:"Runtime"; http_client_body; nocase; content:"getRuntime"; nocase; http_client_body; distance:0; content:".exec"; nocase; http_client_body; classtype:attempted-user; sid:2016294; rev:9;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Windows CMD Shell)"; content:"POST"; http_method; nocase; content:"/script"; http_uri; nocase; pcre:"/\/script\/?$/Ui"; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; content:".decodeBuffer"; nocase; http_client_body; content:"cmd.exe"; http_client_body; fast_pattern; classtype:attempted-user; sid:2016295; rev:6;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Jenkins Script Console Usage (Metasploit Unix Shell)"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/script"; http_uri; nocase; pcre:"/\/script\/?$/Ui"; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; content:".decodeBuffer"; nocase; http_client_body; content:"/bin/sh"; http_client_body; fast_pattern; classtype:attempted-user; sid:2016296; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK - New PDF Exploit - Jan 24 2013"; flow:established,to_server; content:"3.pdf"; nocase; fast_pattern:only; http_uri; pcre:"/\/(?:(?:article\|contact\|new\|sale)s\|(?:fo\|tu)r\|public\|read)\/.(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}\|([a-z]{4,20}[-._])?[a-z]{4,20})3\.pdf\|([A-Z]{4,20}[-._])?[A-Z]{4,20}3\.PDF)$/U"; classtype:trojan-activity; sid:2016278; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (2)"; flow:established,to_server; content:"/pics/image.gif"; fast_pattern:only; http_uri; content:!"Referer\|3a\|"; http_header; nocase; pcre:"/\/(?:(?:article\|contact\|new)s\|(?:fo\|tu)r\|public\|read)\/pics\/image\.gif$/U"; classtype:trojan-activity; sid:2016279; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (3)"; flow:established,to_server; content:"/pics/foto.png"; fast_pattern:only; http_uri; content:!"Referer\|3a\|"; http_header; nocase; pcre:"/\/(?:(?:article\|contact\|new)s\|(?:fo\|tu)r\|public\|read)\/pics\/foto\.png$/U"; classtype:trojan-activity; sid:2016280; rev:5;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host\|3a\| "; depth:6; http_header; content:"\|0d 0a\|Content-Length\|3a\| "; distance:7; within:26; http_header; content:"\|0d 0a\|User-Agent\|3a\| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS result Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/data/file/edit.php?"; nocase; http_uri; content:"hybridid="; nocase; http_uri; content:"result="; nocase; http_uri; pcre:"/keyword\x3d.+(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|c(?:hange\|lick)\|(?:un)?load\|focus\|mouse\|blur\|key)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016282; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/users/users.php?"; nocase; http_uri; content:"type="; nocase; http_uri; content:"keyword="; nocase; http_uri;pcre:"/keyword\x3d.+(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|c(?:hange\|lick)\|(?:un)?load\|focus\|mouse\|blur\|key)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/115284/Openconstructor-CMS-3.12.0-Reflected-XSS.html; classtype:web-application-attack; sid:2016283; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CubeCart loc parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/admin.php?_g=filemanager/language"; nocase; http_uri; fast_pattern; content:"loc="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.com/files/119082/CubeCart-4.4.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016284; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GetSimple CMS path parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/filebrowser.php?"; nocase; http_uri; fast_pattern; content:"path="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.com/files/115302/GetSimple-CMS-3.1.2-Local-File-Inclusion-Path-Disclosure.html; classtype:web-application-attack; sid:2016285; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; nocase; distance:0; content:".SaveToFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/24319/; classtype:attempted-user; sid:2016286; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Banana Dance name Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/functions/ajax.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"name="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.com/files/118964/Banana-Dance-B.2.6-Inclusion-Access-Control-SQL-Injection.html; classtype:web-application-attack; sid:2016287; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_collector Component Arbitrary File Upload Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_collector"; nocase; http_uri; fast_pattern:only; content:"view="; nocase; http_uri; reference:url,exploit-db.com/exploits/24228/; classtype:web-application-attack; sid:2016288; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS web wiz forums ForumID Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/forum_members.asp?"; nocase; http_uri; content:"find="; nocase; http_uri; content:"ForumID="; nocase; http_uri; pcre:"/ForumID\x3d.+(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|c(?:hange\|lick)\|(?:un)?load\|focus\|mouse\|blur\|key)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016289; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS web wiz forums ThreadPage Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/post_message_form.asp?"; nocase; http_uri; content:"ForumID="; nocase; http_uri; content:"ThreadPage="; nocase; http_uri; pcre:"/ThreadPage\x3d.+(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|c(?:hange\|lick)\|(?:un)?load\|focus\|mouse\|blur\|key)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/115886/Web-Wiz-Forums-10.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016290; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpMiniAdmin db Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/phpminiadmin.php?"; nocase; http_uri; fast_pattern; content:"XSS="; nocase; http_uri; content:"db="; nocase; http_uri; pcre:"/db\x3d.+(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|c(?:hange\|lick)\|(?:un)?load\|focus\|mouse\|blur\|key)\|s(?:cript\|tyle=))/Ui"; reference:url,cxsecurity.com/issue/WLB-2013010179; classtype:web-application-attack; sid:2016291; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Mashigoom/Tranwos/RevProxy ClickFraud - hello"; flow:established,to_server; threshold:type both,track by_src,seconds 60,count 1; dsize:<150; content:"hello/"; depth:6; content:"/"; within:3; distance:2; content:"/"; pcre:"/^hello\/[0-9]\.[0-9]\/[0-9]{3}/"; classtype:trojan-activity; sid:2016292; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RevProxy - ClickFraud - MIDUIDEND"; flow:established,to_server; dsize:46; content:"MID"; depth:3; content:"UID"; distance:32; within:3; content:"END"; distance:5; within:3; classtype:trojan-activity; sid:2016293; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)?[\r\n\s]+name[\r\n\s]=[\r\n\s](?P<q>[\x22\x27])?(Twitter\|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:"<iframe"; pcre:"/^((?!<\/iframe>).)?[\r\n\s]+name[\r\n\s]=[\r\n\s](?P<q>[\x22\x27])?(Twitter\|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=\|22\|auto\|22\| frameborder=\|22\|no\|22\| align=\|22\|center\|22\| height=\|22\|2\|22\| width=\|22\|2\|22\|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Class Request (3)"; flow:established,to_server; content:"/Vlast.class"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2016299; rev:7;) + +# +alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 1"; content:"miniupnpd/1."; fast_pattern:only; pcre:"/^Server\x3a[^\r\n]miniupnpd\/1\.[0-3]/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2013-0229; classtype:successful-recon-limited; sid:2016302; rev:5;) + +# +alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]Intel SDK for UPnP devices/mi"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016303; rev:4;) + +# +alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 3"; content:"Portable SDK for UPnP devices"; pcre:"/^Server\x3a[^\r\n]Portable SDK for UPnP devices(\/?\s$\|\/1\.([0-5]\..\|8\.0.\|(6\.[0-9]\|6\.1[0-7])))/m"; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959; classtype:successful-recon-limited; sid:2016304; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Ruby on Rails CVE-2013-0333 Attempt"; flow:established,to_server; content:"\|0d 0a\|Content-Type\|3a\|"; nocase; pcre:"/^[^\r\n](?:application\/json(?:request)?\|text\/x-json)/Ri"; content:"!ruby/"; nocase; distance:0; content:"NamedRouteCollection"; nocase; distance:0; reference:url,gist.github.com/4660248; classtype:web-application-activity; sid:2016305; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016306; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request"; flow:established,to_server; content:"/jdb/"; http_uri; nocase; content:".class"; http_uri; nocase; pcre:"/\/jdb\/[^\/]+\.class$/Ui"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016308; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit JAR Download"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016309; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; content:"/lib/adobe.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016310; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/ dir (Observed in Recent Pharma Spam)"; flow:established,to_server; content:"/components/com_content/"; http_uri; content:!"index.html"; nocase; within:10; http_uri; content:".html"; nocase; http_uri; distance:0; classtype:bad-unknown; sid:2016311; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/DownloaderAgent.fajk Successful Infection CnC Beacon"; flow:established,to_server; content:"GET /admin/count.php?isOnline=1 HTTP/1."; depth:39; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:trojan-activity; sid:2016312; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/DownloaderAgent.fajk Second Stage Download List Requested"; flow:established,to_server; content:"GET /Down/list.txt HTTP/1."; depth:26; reference:url,www.securelist.com/en/descriptions/15316120/Trojan.Win32.Agent.fajk; classtype:trojan-activity; sid:2016313; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/SSHDoor.A Reporting Backdoor CnC Beacon"; flow:established,to_server; content:"port="; http_uri; content:"\|3A\|"; http_uri; content:"&uname="; http_uri; pcre:"/port\x3D[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x3A[0-9]{1,5}/U"; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:trojan-activity; sid:2016314; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"\|3A\|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:trojan-activity; sid:2016315; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/StartPage.eba Dropper Checkin"; flow:established,to_server; content:"/Count.asp?mac="; http_uri; content:"&ver="; http_uri; content:"&t="; http_uri; content:"User-Agent\|3a\| Forthgoer"; http_header; reference:url,www.securelist.com/en/descriptions/24621847/Trojan-Dropper.Win32.StartPage.eba; classtype:trojan-activity; sid:2016316; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious user-agent (f*king)"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; content:"fucking\|0d 0a\|"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]+fucking/Hmi"; classtype:trojan-activity; sid:2016317; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"<applet"; fast_pattern:only; content:"value"; pcre:"/^\s=\s[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"\|3a\|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016319; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit Java gif download"; flow:established,to_server; content:".gif"; http_uri; pcre:"/\.gif$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016320; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:trojan-activity; sid:2016321; rev:2;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5958 ST DeviceType Buffer Overflow"; content:"\|0D 0A\|ST\|3A\|"; nocase; pcre:"/^[^\r\n]schemas\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas\|3a\|device"; nocase; fast_pattern:only; reference:cve,CVE_2012-5958; reference:cve,CVE-2012-5962; classtype:attempted-dos; sid:2016322; rev:1;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5963 ST UDN Buffer Overflow"; content:"\|0D 0A\|ST\|3A\|"; nocase; pcre:"/^[^\r\n]uuid\x3a[^\r\n\x3a]{181}/Ri"; reference:cve,CVE-2012-5963; classtype:attempted-dos; sid:2016323; rev:1;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5964 ST URN ServiceType Buffer Overflow"; content:"\|0D 0A\|ST\|3A\|"; nocase; pcre:"/^[^\r\n]urn\x3aservice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn\|3a\|service"; nocase; fast_pattern:only; reference:cve,CVE-2012-5964; classtype:attempted-dos; sid:2016324; rev:1;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5965 ST URN DeviceType Buffer Overflow"; content:"\|0D 0A\|ST\|3A\|"; nocase; pcre:"/^[^\r\n]urn\x3adevice\x3a[^\r\n\x3a]{181}/Ri"; content:"urn\|3a\|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5965; classtype:attempted-dos; sid:2016325; rev:1;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET DOS LibuPnP CVE-2012-5961 ST UDN Buffer Overflow"; content:"\|0D 0A\|ST\|3A\|"; nocase; pcre:"/^[^\r\n]schemas\x3adevice\x3a[^\r\n\x3a]{1,180}\x3a[^\r\n\x3a]{181}/Ri"; content:"schemas\|3a\|device"; nocase; fast_pattern:only; reference:cve,CVE-2012-5961; classtype:attempted-dos; sid:2016326; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Generic - POST to myform.php"; flow:established,to_server; content:"POST"; http_method; content:"/myform.php"; http_uri; classtype:bad-unknown; sid:2016327; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeuS Post to C&C footer.php"; flow:established,to_server; content:"/footer.php"; http_uri; content:"POST"; http_method; content:!"Accept-"; http_header; classtype:trojan-activity; sid:2016328; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SecVerif.Downloader Initial Checkin"; flow:established,to_server; content:"/atp.txt"; http_uri; fast_pattern; content:"Accept-Language\|3A\| de-at"; http_header; content:"User-Agent\|3A\| Mozilla/4.0 (compatible\|3B\| Win32\|3B\| WinHttp.WinHttpRequest.5)"; http_header; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:trojan-activity; sid:2016329; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/SecVerif.Downloader Second Stage Download Request"; flow:established,to_server; content:"/ssl/cert.dll"; fast_pattern; http_uri; content:"Accept-Language\|3A\| de-at"; http_header; content:"User-Agent\|3A\| Mozilla/4.0 (compatible\|3B\| Win32\|3B\| WinHttp.WinHttpRequest.5)"; http_header; reference:url,anubis.iseclab.org/?action=result&task_id=19f379c075627c7b44d0a0db154394f63; classtype:trojan-activity; sid:2016330; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET TROJAN W32/Jabberbot.A Trednet XMPP CnC Beacon"; flow:established,to_server; content:"trednet@jabber.ru"; fast_pattern:only; reference:url,blog.eset.com/2013/01/30/walking-through-win32jabberbot-a-instant-messaging-cc; classtype:trojan-activity; sid:2016331; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"<applet"; nocase; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]=[\r\n\s](?P<q>[\x22\x27])((?!(?P=q)).)+?\.(gif\|jpe?g\|p(ng\|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSClass file Parameter Remote File Access Attempt"; flow:established,to_server; content:"/oc-admin/index.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"action=upgrade"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016334; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 1"; flow:established,to_server; content:"/oc-admin/index.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"action=enable_category"; nocase; http_uri; fast_pattern; content:"id="; nocase; http_uri; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016335; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS OSClass id parameter data access Attempt 2"; flow:established,to_server; content:"/oc-admin/index.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"action=edit_category_post"; nocase; http_uri; fast_pattern; content:"id="; nocase; http_uri; reference:url,securityfocus.com/bid/51721/; classtype:web-application-attack; sid:2016336; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern:12,20; nocase; http_uri; content:"src="; nocase; http_uri; pcre:"/src\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016337; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/themes/dt-chocolate/thumb.php?"; fast_pattern:12,20; nocase; http_uri; content:"h="; nocase; http_uri; content:"src="; nocase; http_uri; pcre:"/src=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,securityfocus.com/bid/57541/; classtype:web-application-attack; sid:2016338; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMSQLITE id parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/admin/mediaAdmin.php?"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016339; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMSQLITE mediaAdmin.php file Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/mediaAdmin.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,securityfocus.com/bid/56132/; classtype:web-application-attack; sid:2016340; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Feb 04 2012"; flow:established,from_server; file_data; content:"applet"; content:"Ojj"; within:300; content:"Dyy"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016341; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Beebus HTTP POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/s/asp?"; fast_pattern:only; http_uri; content:"User-Agent\|3A 20\|Mozilla/4.0 \|28\|compatible\|3B 20 29 0D 0A\|"; http_header; reference:url,blog.fireeye.com/research/2013/02/operation-beebus.html; classtype:trojan-activity; sid:2016342; rev:1;) + +#Angel Alonso Parrizas +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android TrojanFakeLookout.A"; flow:established,to_server; urilen:13; content:"/controls.php"; http_uri; content:"User-Agent\|3a\| Dalvik/"; http_header; reference:url,blog.trustgo.com/fakelookout/; reference:md5,65baecf1fe1ec7b074a5255dc5014beb; classtype:trojan-activity; sid:2016343; rev:2;) + +#Angel Alonso Parrizas +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Fakelash.A!tr.spy Checkin"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&online="; distance:0; http_uri; content:"&m="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"User-Agent\|3a\| Dalvik/"; http_header; reference:md5,7dec1c9174d0f688667f6c34c0fa66c2; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:2016344; rev:2;) + +#Angel Alonso Parrizas +alert tcp $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Variant"; flow:established,to_server; content:"GET /search/"; content:".php?i="; distance:0; content:"1.0\|0d 0a\|User-Agent\|3a\| unknown\|0d 0a 0d 0a\|"; classtype:trojan-activity; sid:2016345; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing"; flow:established,to_server; content:".js"; http_uri; content:"/i.html"; http_header; fast_pattern:only; pcre:"/^[a-z]+\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\/i.html(\?[^=]{1,10}=[^&\r\n]{100,})?\r?$/Hmi"; classtype:bad-unknown; sid:2016347; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteHole Exploit Landing Page"; flow:established,from_server; file_data; content:".jar?java="; nocase; fast_pattern:only; content:"<applet"; pcre:"/^((?!<\/applet>).)+?\.jar\?java=\d+/R"; content:" name="; content:"http"; within:5; content:" name="; content:"ftp"; within:4; classtype:trojan-activity; sid:2016348; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Jar Request"; flow:to_server,established; content:".jar?java="; http_uri; fast_pattern:only; nocase; content:" Java/1."; http_header; pcre:"/\.jar\?java=\d+$/Ui"; classtype:trojan-activity; sid:2016349; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WhiteHole Exploit Kit Payload Download"; flow:established,to_server; content:"/?whole="; nocase; http_uri; fast_pattern:only; content:" Java/1."; http_header; pcre:"/\/\?whole=\d+$/Ui"; classtype:trojan-activity; sid:2016350; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; content:"/jerk.cgi?"; fast_pattern:only; http_uri; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016352; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value="; distance:0; content:"/getmyfile.exe?o="; distance:0; nocase; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016353; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WSO WebShell Activity POST structure 2"; flow:established,to_server; content:"POST"; http_method; content:" name=\|22\|c\|22\|"; http_client_body; content:"name=\|22\|p1\|22\|"; http_client_body; fast_pattern; pcre:"/name=(?P<q>[\x22\x27])a(?P=q)[^\r\n]\r\n[\r\n\s]+(?:S(?:e(?:lfRemove\|cInfo)\|tringTools\|afeMode\|ql)\|(?:Bruteforc\|Consol)e\|FilesMan\|Network\|Logout\|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/ServStart.Variant CnC Beacon"; flow:established,to_server; content:"&mac="; http_uri; nocase; content:"type="; http_uri; nocase; content:"id="; http_uri; nocase; content:"User-Agent\|3A\| Google ++\|0D 0A\|"; http_header; fast_pattern:3,20; classtype:trojan-activity; sid:2016355; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"\|7C\|applet\|7C\|"; classtype:trojan-activity; sid:2016356; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/ZeroAccess Counter.img Checkin"; flow:established,to_server; content:"/counter.img?theme="; fast_pattern; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"User-Agent\|3A\| Opera/9 (Windows NT "; http_header; reference:url,malwaremustdie.blogspot.co.uk/2013/02/blackhole-of-closest-version-with.html; classtype:trojan-activity; sid:2016358; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Request for fake postal receipt from e-mail link"; flow:established,to_server; content:"receipt="; nocase; http_uri; fast_pattern:only; pcre:"/\.php\?(print_)?receipt=(s00\|\d{3})_\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016359; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; classtype:misc-activity; sid:2016360; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - ClassID"; flow:established,to_client; file_data; content:"CAFEEFAC-00"; content:"-FFFF-ABCDEFFEDCBA"; distance:7; within:18; classtype:misc-activity; sid:2016361; rev:1;) + +# +alert udp any any -> $HOME_NET 1900 (msg:"ET DOS Miniupnpd M-SEARCH Buffer Overflow CVE-2013-0229"; content:"M-SEARCH"; depth:8; isdataat:1492,relative; content:!"\|0d 0a\|"; distance:1490; within:2; reference:url,community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play; reference:url,upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,CVE-2013-0229; classtype:attempted-dos; sid:2016363; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Umbra/Multibot Loader User-Agent (umbra)"; flow:established,to_server; content:"User-Agent\|3a\| umbra\|0d 0a\|"; http_header; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016366; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Umbra/MultiBot Plugin access"; flow:established,to_server; content:"/admin/plugins/"; http_uri; content:"User-Agent\|3a\| umbra\|0d 0a\|"; http_header; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016367; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Toby.N Multilocker Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/picture.php"; http_uri; content:!"Referer\|3a\|"; http_header; pcre:"/\/picture\.php$/U"; pcre:"/^Host\x3a[^\r\n]+?\r\nConnection\x3a\x20Keep-Alive\r\n(\r\n)?$/H"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016368; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Toby.N Multilocker Request"; flow:established,to_server; content:"/upload/img.jpg"; http_uri; content:" MSIE 6.0\|3b\| "; http_header; pcre:"/^Host\x3a\s(\d{1,3}\.){3}\d{1,3}\r$/Hm"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016369; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Toby.N Multilocker Image Request"; flow:established,to_server; content:"/upload/mp3.mp3"; http_uri; content:" MSIE 6.0\|3b\| "; http_header; pcre:"/^Host\x3a\s(\d{1,3}\.){3}\d{1,3}\r$/Hm"; reference:url,malware.dontneedcoffee.com/2013/02/inside-multi-botnet-ver4-c-panel.html; classtype:trojan-activity; sid:2016370; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit Java jpg download"; flow:established,to_server; content:".jpg"; http_uri; pcre:"/\.jpg$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016371; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:"<applet "; content:"new PDFObject"; classtype:trojan-activity; sid:2016373; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jaxws.jar"; flow:established,to_server; content:"/jaxws.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016374; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jre.jar"; flow:established,to_server; content:"/jre.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016375; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM EK - Java Exploit - fbyte.jar"; flow:established,to_server; content:"/fbyte.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016378; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - JAR Containing Windows Executable"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2016379; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Encrypted Binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"\|25 3e fc 75 7b\|"; within:5; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016380; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP ecommerce Shop Styling Plugin dompdf RFI Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-ecommerce-shop-styling/includes/generate-pdf.php?"; nocase; fast_pattern:20,20; http_uri; content:"dompdf="; nocase; http_uri; pcre:"/dompdf=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51707/; classtype:web-application-attack; sid:2016381; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"520F4CFD-61C6-4EED-8004-C26D514D3D19"; nocase; distance:0; content:".save"; nocase; distance:0; reference:url,1337day.org/exploit/15398; classtype:attempted-user; sid:2016382; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Audio Player Plugin playerID parameter XSS attempt in swf"; flow:established,to_server; content:"/wp-content/plugins/audio-player/assets/player.swf?"; nocase; http_uri; fast_pattern:20,20; content:"playerID="; nocase; http_uri; pcre:"/playerID\x3d.+\)\)\}catch$.+$\{/Ui"; reference:url,packetstormsecurity.com/files/120129/WordPress-Audio-Player-SWF-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016383; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress CommentLuv Plugin _ajax_nonce Parameter XSS Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/wp-admin/admin-ajax.php"; nocase; http_uri; content:"_ajax_nonce="; nocase; http_client_body; pcre:"/\_ajax\_nonce\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Pi"; reference:url,securityfocus.com/bid/57771/; classtype:web-application-attack; sid:2016384; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; reference:url,anubis.iseclab.org/index.php?action=result&task_id=4fdbf09e9bb20824658cfd45b63a309e; classtype:trojan-activity; sid:2016385; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android/DNightmare -Task Killer Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"/m/gne/suggest?q="; nocase; http_uri; fast_pattern; content:"SID=DQAAAKQAAAAHga"; http_cookie; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016387; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteGo file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/extra/contacts/DownloadMailAttach.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,securityfocus.com/bid/57845/; classtype:web-application-attack; sid:2016388; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SiteGo OpenFolder parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/admin/extra/StyleManager/EditFile.php?"; nocase; http_uri; content:"OpenFolder="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,securityfocus.com/bid/57845/; classtype:web-application-attack; sid:2016389; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Glossword gw_admin.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/1.8/gw_admin.php?a="; nocase; http_uri; content:"t="; nocase; http_uri; pcre:"/a\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.com/files/120045/Glossword-1.8.12-XSS-CSRF-Shell-Upload-Database-Disclosure.html; classtype:web-application-attack; sid:2016390; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/FloatingCloud.Banker CnC Beacon"; flow:established,to_server; content:"/Install/Post.asp?Uid="; http_uri; nocase; pcre:"/\x2FPost\x2Easp\x3FUid\x3D[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}\x2D[a-f0-9]{8}$/Ui"; reference:url,www.securelist.com/en/blog/798/God_horses_are_floating_clouds_The_story_of_a_Chinese_banker_Trojan; classtype:trojan-activity; sid:2016399; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s=\s\|[\x22\x27]\s,\s)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"\|3a\|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Uncompressed"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; classtype:trojan-activity; sid:2016394; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File With Flash"; flow:to_client,established; content:"CONTROL ShockwaveFlash.ShockwaveFlash"; flowbits:isset,OLE.CompoundFile; flowbits:set,OLE.WithFlash; classtype:protocol-command-decode; sid:2016395; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)\|7c 7c\|"; distance:0; classtype:trojan-activity; sid:2016396; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)\|7c 7c\|"; distance:0; classtype:trojan-activity; sid:2016397; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]$\?[sxXmUJ]i[sxXmUJ](\-[sxXmUJ])?$[\x20-\x7f]$\?[sxXmUJ]\-[sxXmUJ]i[sxXmUJ]$[\x20-\x7f]\\|\\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]$\?[sxXmUJ]i[sxXmUJ](\-[sxXmUJ])?$[\x20-\x7f]$\?[sxXmUJ]\-[sxXmUJ]i[sxXmUJ]$[\x20-\x7f]\\|\\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit Java png download"; flow:established,to_server; content:".png"; http_uri; pcre:"/\.png$/U"; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016402; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"\|af 9e b6 98 09 fc ee d0\|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO MPEG Download Over HTTP (1)"; flow:established,to_client; file_data; content:"\|00 00 01 ba\|"; depth:4; flowbits:set,ET.mpeg.HTTP; flowbits:noalert; classtype:not-suspicious; sid:2016404; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK - PDF Exploit - Feb 12 2013"; flow:established,to_server; content:".pdf"; nocase; http_uri; fast_pattern:only; pcre:"/\/w(?:hite\|orld\|step)\/.(?:(?:([A-Z][a-z]{3,20}[-._])?[A-Z][a-z]{3,20}\|([a-z]{4,20}[-._])?[a-z]{4,20})\.pdf\|([A-Z]{4,20}[-._])?[A-Z]{4,20}\.PDF)$/U"; classtype:trojan-activity; sid:2016405; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 12 2013"; flow:established,to_client; file_data; content:"<applet"; content:"SunJCE"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016406; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (4)"; flow:established,to_server; content:"/w"; http_uri; nocase; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\/(?:w(?:hite\|orld)\|step)\/\d+$/U"; classtype:trojan-activity; sid:2016408; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PDF 0day Communication - agent UA Feb 14 2013"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/param"; http_uri; content:"User-Agent\|3a\| agent\|0d 0a\|"; fast_pattern; http_header; content:"Content-Length\|3a\|"; http_header; reference:url,www.joesecurity.org/reports/report-f3b9663a01a73c5eca9d6b2a0519049e.html; classtype:trojan-activity; sid:2016411; rev:2;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - sinkhole.cert.pl 148.81.111.111"; content:"\|00 01 00 01\|"; content:"\|00 04 94 51 6f 6f\|"; distance:4; within:6; classtype:trojan-activity; sid:2016413; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern:only; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:trojan-activity; sid:2016412; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (5)"; flow:established,to_server; content:".txt?e="; http_uri; nocase; fast_pattern:only; content:!"Referer\|3a\| "; http_header; pcre:"/\.txt\?e=\d+(&[fh]=\d+)?$/U"; classtype:trojan-activity; sid:2016414; rev:7;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP tag in UA"; flow:established,to_server; content:"<?php"; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]\<\?php/Hmi"; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016415; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER base64_decode in UA"; flow:established,to_server; content:"base64_decode("; http_header; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]base64_decode\x28/Hmi"; reference:url,blog.spiderlabs.com/2013/02/honeypot-alert-user-agent-field-php-injection-attacks.html; classtype:bad-unknown; sid:2016416; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Vundo.Downloader Reporting User Website Session Information"; flow:established,to_server; content:"/js.php?ran="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&u="; http_uri; content:"Accept-Language\|3A 20\|ru-RU"; nocase; http_header; reference:url,www.lavasoft.com/mylavasoft/malware-descriptions/blog/trojandownloaderwin32vundojd; classtype:trojan-activity; sid:2016417; rev:1;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Dr. Web"; content:"\|00 01 00 01\|"; content:"\|00 04 5b e9 f4 6a\|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016418; rev:5;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Zinkhole.org"; content:"\|00 01 00 01\|"; content:"\|00 04 b0 1f 3e 4c\|"; distance:4; within:6; classtype:trojan-activity; sid:2016419; rev:5;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - German Company"; content:"\|00 01 00 01\|"; content:"\|00 04 52 a5 19 a7\|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016420; rev:5;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 1and1 Internet AG"; content:"\|00 01 00 01\|"; content:"\|00 04 52 a5 19 d2\|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016421; rev:5;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (1)"; content:"\|00 01 00 01\|"; content:"\|00 04 c6 3d e3 06\|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016422; rev:5;) + +# +alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - Georgia Tech (2)"; content:"\|00 01 00 01\|"; content:"\|00 04 32 3e 0c 67\|"; distance:4; within:6; reference:url,virustracker.info; classtype:trojan-activity; sid:2016423; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Zbot.ivgw Downloading EXE"; flow:to_server,established; content:"/forum/images.php?id"; http_uri; nocase; fast_pattern:only; content:"User-Agent\|3a\| Mozilla/6"; http_header; content:" MSIE "; http_header; reference:md5,e8e3d22203f9549d6c5f361dfe51f8c6; classtype:trojan-activity; sid:2016425; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:"<applet"; content:"code=\|22\|hw\|22\|"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016426; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Possible Java Payload Download"; flow:to_server,established; content:".exe?"; http_uri; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\.exe\?(e=)?\d+$/U"; classtype:trojan-activity; sid:2016427; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Tosct.B UA Mandiant APT1 Related"; flow:established,to_server; content:"User-Agent\|3a 20\|HTTP Mozilla/5.0(compatible+MSIE)\|0d 0a\|"; http_header; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:trojan-activity; sid:2016431; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likseput.B Checkin"; flow:established,to_server; content:"\|3b\|Trident/4.0 "; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\r\n]+[^\x20]\x3bTrident\/4\.0\x29\s\d{2}\x3a\d{2}\s\r$/Hmi"; reference:md5,95d85aa629a786bb67439a064c4349ec; classtype:trojan-activity; sid:2016432; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32/Likseput.A Checkin Windows Vista/7/8"; flow:to_server,established; content:"User-Agent\|3a\| 6\|2e\|"; http_header; content:"\|5c\|"; within:64; http_header; content:"Host\|3a\| "; http_header; distance:0; content:!"\|0d 0a\|"; distance:-6; within:2; http_header; pcre:"/User\-Agent\x3a\x206\.[0-2]\x20\d\d\x3a\d\d\x20/Hi"; reference:md5,b5e9ce72771217680efaeecfafe3da3f; reference:url,threatexpert.com/report.aspx?md5=4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:trojan-activity; sid:2016433; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/COOKIEBAG Cookie APT1 Related"; flow:established,to_server; content:"\|0a\|Cookie\|3a 20\|CAQGBgoFD1Y"; fast_pattern:only; content:"CAQGBgoFD1Y"; http_cookie; depth:11; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016434; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-TABLE Checkin 1 - APT1 Related"; flow:established,to_server; content:"User-Agent\|3a\| 0"; http_header; content:"\|3a\|"; http_header; distance:1; within:1; content:"\|3a\|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016435; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-TABLE Checkin 2 - APT1 Related"; flow:established,to_server; content:"User-Agent\|3a\| 1"; http_header; content:"\|3a\|"; http_header; distance:1; within:1; content:"\|3a\|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016436; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-TABLE Checkin 3 - APT1 Related"; flow:established,to_server; content:"User-Agent\|3a\| 2"; http_header; content:"\|3a\|"; http_header; distance:1; within:1; content:"\|3a\|"; http_header; distance:2; within:1; content:"+"; http_header; distance:2; within:1; flowbits:set,ET.webc2; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016437; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN WEBC2-TABLE Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; flowbits:isset,ET.webc2; file_data; content:"<!---<table<b"; reference:url,www.mandiant.com/apt1; reference:md5,7a7a46e8fbc25a624d58e897dee04ffa; reference:md5,110160e9d6e1483192653d4bfdcbb609; classtype:trojan-activity; sid:2016438; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Namsoth.A Checkin/NEWSREELS APT1 Related"; flow:established,to_server; content:"POST"; http_method; content:"name="; depth:5; http_client_body; content:"&userid="; http_client_body; distance:0; content:"&other"; distance:4; within:6; http_client_body; pcre:"/&userid=\d{4}&other=[MF]/P"; reference:md5,a2cd1189860b9ba214421aab86ecbc8a; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016439; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SEASALT HTTP Checkin"; flow:established,to_server; content:"Mozilla/4.0 (compatible\|3b\| MSIE 5.00\|3b\| Windows 98) KSMM\|0d 0a\|"; http_header; fast_pattern:24,20; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016440; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SEASALT Client Checkin"; flow:established,to_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016441; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN SEASALT Server Response"; flow:established,from_server; dsize:7; content:"fxftest"; depth:7; reference:md5,5e0df5b28a349d46ac8cc7d9e5e61a96; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016442; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN STARSYPOUND Client Checkin"; flow:established,to_server; content:"(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016443; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN STARSYPOUND Client Checkin"; flow:established,from_server; content:"(SY)# "; depth:7; reference:md5,8442ae37b91f279a9f06de4c60b286a3; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016444; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN SWORD Sending Sword Marker"; flow:established,to_server; content:"\|20 20 20 20 2f 2a 0a 40 2a 2a 2a 40 2a 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40 40\|"; reference:md5,052f5da1734464a985dcd669bff62f93; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016445; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TABMSGSQL/Sluegot.C Checkin"; flow:established,to_server; content:"?rands="; http_uri; fast_pattern; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| )\|0d 0a\|"; http_header; reference:url,www.cyberesi.com/2011/06/15/trojan-letsgo-analysis/; reference:url,www.mandiant.com/apt1; reference:md5,052ec04866e4a67f31845d656531830d; classtype:trojan-activity; sid:2016446; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WARP Win32/Barkiofork.A"; flow:established,to_server; content:"/s/asp?"; http_uri; fast_pattern; pcre:"/p=1$/U"; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| )\|0d 0a\|"; http_header; reference:url,www.mandiant.com/apt1; reference:md5,7acb0d1df51706536f33bbdb990041d3; classtype:trojan-activity; sid:2016447; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN WEBC2-ADSPACE Server Response"; flow:established,from_server; file_data; content:"<!---HEADER ADSPACE style=\|22\|"; content:"\|5c\|text $-->"; distance:0; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016448; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN WEBC2-AUSOV Checkin Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"\|3c\|!-- DOCHTMLAuthor"; pcre:"/^\d+\s-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,0cf9e999c574ec89595263446978dc9f; classtype:trojan-activity; sid:2016449; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN WEBC2-QBP Checkin Response 1 - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"\|3c\|!--<2010QBP"; content:" 2010QBP//-->"; within:150; reference:url,intelreport.mandiant.com; reference:md5,0cf9e999c574ec89595263446978dc9f; reference:md5,fcdaa67e33357f64bc4ce7b57491fc53; classtype:trojan-activity; sid:2016451; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-CLOVER Checkin APT1 Related"; flow:established,to_server; content:"/Default.asp"; http_uri; content:"Accept: image/gif,image/x-xbitmap"; http_header; content:" MSIE "; http_header; content:"Cookie\|3a 20\|PREF=86845632017245\|0d 0a\|"; fast_pattern; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:trojan-activity; sid:2016452; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-CLOVER Download UA"; flow:established,to_server; content:"User-Agent\|3a 20\|Mozilla/5.0 (Windows\|3b\| Windows NT 5.1\|3b\| en-US\|3b\| rv\|3a\|1.8.0.12) Firefox/1.5.0.12\|0d 0a\|"; http_header; fast_pattern:66,20; reference:url,www.mandiant.com/apt1; reference:md5,29c691978af80dc23c4df96b5f6076bb; classtype:trojan-activity; sid:2016453; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Small.XR Checkin 2 WEBC2-CSON APT1 Related"; flow:to_server,established; urilen:27; content:"/Default.aspx?ID="; http_uri; pcre:"/\?ID=[A-Z]{10}$/U"; content:!"User-Agent\|3a\| Mozilla "; http_header; reference:url,www.threatexpert.com/report.aspx?md5=ba45339da92ca4622b472ac458f4c8f2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.XR; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016459; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-DIV UA"; flow:established,to_server; content:"User-Agent\|3a\| Microsoft Internet Explorer Exelon "; http_header; fast_pattern:27,20; reference:url,www.mandiant.com/apt1; reference:md5,1e5ec6c06e4f6bb958dcbb9fc636009d; classtype:trojan-activity; sid:2016454; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible WEBC2-GREENCAT Response - Embedded CnC APT1 Related"; flow:established,from_server; file_data; content:"<!--\|0d 0a\|<img border="; pcre:"/^[0-4]\ssrc=\x22[^\x22]+\x22\swidth=\d+\sheight=\d+>\r\n-->/R"; reference:url,www.mandiant.com/apt1; reference:md5,1014af80798518864d5d3dfa4e1cd079e; classtype:trojan-activity; sid:2016455; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-KT3 Intial Connection Beacon APT1 Related"; flow:established,to_server; dsize:<11; content:"!Kt3+v\|7c\|"; depth:8; flowbits:set,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:trojan-activity; sid:2016456; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-KT3 Intial Connection Beacon Server Response APT1 Related"; flow:established,from_server; dsize:<11; content:"!Kt3+v\|7c\|"; depth:8; flowbits:isset,ET.WEBC2KT3; reference:url,www.mandiant.com/apt1; reference:md5,ec3a2197ca6b63ee1454d99a6ae145ab; classtype:trojan-activity; sid:2016457; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WEBC2-RAVE UA"; flow:established,to_server; content:"User-Agent\|3a\| HTTP Mozilla/5.0(compatible+MSIE)\|0d 0a\|"; http_header; reference:url,www.mandiant.com/apt1; reference:md5,5bcaa2f4bc7567f6ffd5507a161e221a; classtype:trojan-activity; sid:2016458; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Fake Virtually SSL Cert APT1"; flow:established,from_server; content:"\|55 04 03\|"; content:"\|03\|new"; distance:1; within:4; content:"\|55 04 0b\|"; content:"\|03\|new"; distance:1; within:4; content:"\|55 04 0a\|"; content:"\|16\|www.virtuallythere.com"; distance:1; within:23; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016462; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Fake IBM SSL Cert APT1"; flow:established,from_server; content:"\|55 04 03\|"; content:"\|03\|IBM"; distance:1; within:4; content:"\|55 04 0a\|"; content:"\|18\|Internet Widgits Pty Ltd"; distance:1; within:25; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016463; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN EMAIL SSL Cert APT1"; flow:established,from_server; content:"\|2f 09 dd e0 ff 81 b7 6c bf 2f 17 92 0c d8 bd 57\|"; content:"\|55 04 03\|"; content:"\|05\|EMAIL"; distance:1; within:6; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016464; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN LAME SSL Cert APT1"; flow:established,from_server; content:"\|0e 97 88 1c 6c a1 37 96 42 03 bc 45 42 24 75 6c\|"; content:"\|55 04 03\|"; content:"\|0F\|LM-68AB71FBD8F5"; distance:1; within:16; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016465; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN NS SSL Cert APT1"; flow:established,from_server; content:"\|72 a2 5c 8a b4 18 71 4e bf c6 6f 3f 98 d6 f7 74\|"; content:"\|55 04 03\|"; content:"\|02\|NS"; distance:1; within:3; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016466; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SERVER SSL Cert APT1"; flow:established,from_server; content:"\|52 55 38 16 fb 0d 1a 8a 4b 45 04 cb 06 bc c4 af\|"; content:"\|55 04 03\|"; content:"\|06\|SERVER"; distance:1; within:7; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016467; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SUR SSL Cert APT1"; flow:established,from_server; content:"\|20 82 92 3f 43 2c 8f 75 b7 ef 0f 6a d9 3c 8e 5d\|"; content:"\|55 04 03\|"; content:"\|03\|SUR"; distance:1; within:4; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016468; rev:4;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN FAKE AOL SSL Cert APT1"; flow:established,from_server; content:"\|7c a2 74 d0 fb c3 d1 54 b3 d1 a3 00 62 e3 7e f6\|"; content:"\|55 04 03\|"; content:"\|0c\|mail.aol.com"; distance:1; within:13; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016469; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN FAKE YAHOO SSL Cert APT1"; flow:established,from_server; content:"\|0a 38 c9 27 08 6f 96 4b be 75 dc 9f c0 1a c6 28\|"; content:"\|55 04 03\|"; content:"\|0e\|mail.yahoo.com"; distance:1; within:15; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016470; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WEBC2-UGX User-Agent (Windows+NT+5.x) APT1"; flow:established,to_server; content:"User-Agent\|3a\| Windows+NT+5"; http_header; flowbits:set,ET.webc2ugx; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016471; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN WEBC2-UGX Embedded CnC Response APT1"; flow:established,from_server; flowbits:isset,ET.webc2ugx; file_data; content:"<!-- dW"; within:20; reference:md5,ae45648a8fc01b71214482d35cf8da54; reference:url,www.mandiant.com/apt1; classtype:trojan-activity; sid:2016472; rev:1;) + +# +alert udp $HOME_NET any -> 78.47.139.110 53 (msg:"ET CURRENT_EVENTS Possible DNS Data Exfiltration to SSHD Rootkit Last Resort CnC"; reference:url,isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229; classtype:trojan-activity; sid:2016473; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS - CommentCrew UGX Backdoor initial connection"; flow:established,to_server; content:"\|dd b5 61 f0 20 47 20 57 d6 65 9c cb 31 1b 65 42 00 00 00 00\|"; depth:20; classtype:trojan-activity; sid:2016474; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - CommentCrew downloader without user-agent string exe download without User Agent"; flow:established,to_server; content:"GET"; http_method; content:"open="; http_uri; nocase; content:"myid="; http_uri; nocase; content:!"User-Agent\|3a\|"; http_header; classtype:trojan-activity; sid:2016475; rev:1;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications get system"; flow:established,to_client; content:"Y29tbWFuZD1nZXRzeXN0ZW07"; classtype:trojan-activity; sid:2016476; rev:3;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications html return 1 "; flow:established,to_client; content:"\|48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d 0a\|"; content:"\|43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 0d 0a\|"; content:"\|43 6f 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a\|"; content:"\|53 65 74 2d 43 6f 6f 6b 69 65 3a\|"; content:"\|0d 0a 20 31\|"; classtype:trojan-activity; sid:2016477; rev:2;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications sleep"; flow:established,to_client; file_data; content:"<!-- dWdzMTA= -->"; classtype:trojan-activity; sid:2016478; rev:1;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications sleep2"; flow:established,to_client; file_data; content:"<!-- dWdzMw== -->"; classtype:trojan-activity; sid:2016479; rev:1;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications sleep3"; flow:established,to_client; file_data; content:"<!--czoxMzc=--!>"; classtype:trojan-activity; sid:2016480; rev:2;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications sleep5"; flow:established,to_client; file_data; content:"<!-- czoy -->"; classtype:trojan-activity; sid:2016482; rev:2;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications download client.png"; flow:established,to_client; file_data; content:"<!-- dWdlY2xpZW50LnBuZw== -->"; classtype:trojan-activity; sid:2016483; rev:2;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT crabdance backdoor base64 head 2"; flow:established,to_client; file_data; content:"FSssJi01MWwnOic="; classtype:trojan-activity; sid:2016484; rev:2;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT crabdance backdoor base64 head"; flow:established,to_client; file_data; content:"MS4nJzJ4cHZyeQ=="; classtype:trojan-activity; sid:2016485; rev:2;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT backdoor stage 2 download base64 update.gif"; flow:established,to_client; file_data; content:"IHVwZGF0ZS5naWY="; classtype:trojan-activity; sid:2016486; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT backdoor download logo.png"; flow:established,to_server; content:"GET"; http_method; content:"/images/logo.png"; http_uri; content:"Accept\|3a\| /,,,,,,"; http_header; fast_pattern; classtype:trojan-activity; sid:2016487; rev:3;) + +# +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS - CommentCrew Possible APT c2 communications get command client key"; flow:established,to_client; content:"Y29tbWFuZD1HZXRDb21tYW5kO2NsaWVudGtleT"; content:"O2hvc3RuYW1lPW"; classtype:trojan-activity; sid:2016488; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CBeplay Downloading Design"; flow:established,to_server; content:".CAB.bin"; http_uri; fast_pattern:only; pcre:"/[a-z]{2}\.CAB.bin$/U"; content:" Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1)\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2016489; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (1)"; flow:established,to_server; content:"/java/lang/ClassBeanInfo.class"; http_uri; fast_pattern:10,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016490; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (2)"; flow:established,to_server; content:"/java/lang/ObjectBeanInfo.class"; http_uri; fast_pattern:11,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016491; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ObjectCustomizer.class"; http_uri; fast_pattern:13,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016492; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK/BHEK/Impact EK Java7 Exploit Class Request (3)"; flow:established,to_server; content:"/java/lang/ClassCustomizer.class"; http_uri; fast_pattern:12,20; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2016493; rev:9;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]=[\r\n\s][\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; classtype:trojan-activity; sid:2016494; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit Java .psd download"; flow:established,to_server; content:".psd"; http_uri; pcre:"/\.psd$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016495; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Gimemo Ransomware Checkin"; flow:established,to_client; file_data; content:"/gate.php?computername="; nocase; classtype:trojan-activity; sid:2016496; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"\|22\|pdf\|5c\|78.ht\|5c\|6dl\|22\|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload"; flow:established,to_client; file_data; content:".exe?"; fast_pattern:only; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\27]+?\/[a-zA-Z0-9\/\-\_]{60,}\/[a-zA-Z0-9]+\.exe\?[a-zA-Z0-9]+=[a-zA-Z0-9]+(&h=\d+)?[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016498; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit Payload Download"; flow:established,to_server; content:".exe?"; http_uri; nocase; fast_pattern:only; content:"&h="; http_uri; pcre:"/\.exe\?(?:[a-zA-Z0-9]+=[a-zA-Z0-9]+&)?h=\d+$/Ui"; content:!"Referer\|3a\|"; http_header; classtype:bad-unknown; sid:2016499; rev:10;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:7;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - zecmd - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\|22\|GET\|22\| NAME=\|22\|comments\|22\| ACTION=\|22 22\|>"; classtype:attempted-user; sid:2016501; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java Serialized Data via vulnerable client"; flow:established,from_server; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"\|ac ed\|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016502; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java Serialized Data"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"\|ac ed\|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016503; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Serialized Data request"; flow:established,to_server; content:" Java/1"; http_header; content:".ser"; http_uri; pcre:"/\.ser$/U"; classtype:bad-unknown; sid:2016504; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO file possibly containing Serialized Data file"; flow:to_client,established; file_data; content:"PK"; within:2; content:".serPK"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2016505; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Exploit Kit Java jpeg download"; flow:established,to_server; content:".jpeg"; http_uri; pcre:"/\.jpeg$/U"; content:" Java/1."; http_header; flowbits:set,ET.g01pack.Java.Image; flowbits:noalert; classtype:trojan-activity; sid:2016506; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Caphaw Requesting Additional Modules From CnC"; flow:established,to_server; content:"/ping.html?r="; http_uri; fast_pattern:only; content:!"/utils/"; http_uri; pcre:"/\x2Fping\x2Ehtml\x3Fr\x3D[0-9]{5,14}$/U"; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:trojan-activity; sid:2016507; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Caphaw CnC Configuration File Request"; flow:established,to_server; content:"&id="; http_uri; content:"&inst="; http_uri; content:"&net"; http_uri; content:"&cmd=cfg"; fast_pattern:only; http_uri; reference:url,www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/; classtype:trojan-activity; sid:2016508; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Zbot.Variant Fake MSIE 6.0 UA"; flow:to_server,established; content:".htm?"; fast_pattern:only; http_uri; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|"; http_header; pcre:"/\/[a-z]\.htm\?[A-Za-z0-9]+$/U"; flowbits:set,ET.zbot.ua.2106509; classtype:trojan-activity; sid:2016509; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Serialized Java Applet (Used by some EKs in the Wild)"; flow:established,from_server; file_data; content:"<embed"; nocase; content:"object"; distance:0; nocase; pcre:"/^[\r\n\s]=[\r\n\s][\x22\x27][^\x22\x27]+\.ser[\x22\x27]/Ri"; content:"application/x-java-"; fast_pattern:only; classtype:trojan-activity; sid:2016510; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Travnet.A Checkin"; flow:to_server,established; content:".asp?hostid="; http_uri; content:"&hostname="; http_uri; content:"&hostip="; http_uri; content:"&filename="; http_uri; content:"&filestart="; http_uri; content:!"Referer\|3a 20\|"; http_header; content:"&filetext=begin\|3a 3a\|"; fast_pattern:only; http_uri; pcre:"/\?hostid=[0-9A-F]+?&/U"; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; reference:url,www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf; classtype:trojan-activity; sid:2016968; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Successful Compromise svchost.jpg Beacon - Java Zeroday"; flow:established,to_server; content:"/svchost.jpg"; fast_pattern:only; http_uri; content:" Java/1."; http_header; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another- java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Smsilence.A Successful Install Report"; flow:established,to_server; content:"/Android_SMS/installing.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016512; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Smsilence.A Sending SMS Messages CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/Android_SMS/receiving.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/sms-trojan-targets-south-korean-android-devices; classtype:trojan-activity; sid:2016513; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jhan.jar"; flow:established,to_server; content:"/jhan.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016514; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gimemo Activity"; flow:established,to_server; content:"mainsettings/settings.sol"; http_uri; content:" MSIE 7.0\|3b\|"; http_header; classtype:trojan-activity; sid:2016515; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure"; flow:established,to_server; content:"POST"; http_method; content:"act="; depth:4; fast_pattern; http_client_body; content:"&d="; http_client_body; within:20; classtype:attempted-user; sid:2016516; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]?\x28[^\x29]?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 1 2013"; flow:established,from_server; file_data; content:"<#a#p#p#l#e#t#"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016520; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java Archive Request (Java-SPLOIT.jar)"; flow:established,to_server; content:"/Java-SPLOIT.jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:bad-unknown; sid:2016521; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016522; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request"; flow:established,to_server; content:"/module.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016523; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[\|22\|body\|22\|]^=2}catch("; distance:0; classtype:trojan-activity; sid:2016524; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific - 4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; classtype:trojan-activity; sid:2016525; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole V2 Exploit Kit Landing Page Try Catch False Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false\|3B\|}"; within:30; classtype:trojan-activity; sid:2016526; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox php.dll.crp POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"\|3A\|8080\|0D 0A\|"; http_header; content:"id="; http_client_body; depth:3; content:"&code="; http_client_body; fast_pattern; distance:0; content:"&data="; http_client_body; distance:0; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016527; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox CnC Beacon"; flow:established,to_server; content:"User-Agent\|3A 20\|Mozilla/4.0 (compatible\|3B\| MSIE 6.0b\|3B\| Windows NT 5.0\|3B\| .NET CLR"; http_header; fast_pattern:44,20; content:"\|3A\|8080\|0D 0A\|"; http_header; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox Passgrub POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"akk="; http_client_body; depth:4; content:"&client="; http_client_body; distance:0; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016529; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox.FakeAV Affiliate Second Stage Download Location Request"; flow:established,to_server; content:"/api/urls/?ts="; http_uri; content:"&affid="; http_uri; pcre:"/\x26affid\x3D[0-9]{4,7}$/Ui"; flowbits:noalert; flowbits:set,et.asproxfakeav; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016530; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Asprox.FakeAV Affiliate Download Location Response - Likely Pay-Per-Install For W32/Papras.Spy or W32/ZeroAccess"; flowbits:isset,et.asproxfakeav; flow:established,to_client; file_data; content:"http\|3A\|//"; within:50; content:".exe?ts="; fast_pattern; distance:0; content:"&affid="; distance:0; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016531; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TrojanSpy.MSIL Fetch Time CnC Beacon"; flow:established,to_server; content:"/features/fetch/time/"; http_uri; content:!"User-Agent\|3A\|"; http_header; content:!"Content-"; http_header; content:!"Accept-"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:trojan-activity; sid:2016533; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TrojanSpy.MSIL Get New MAC CnC Beacon"; flow:established,to_server; content:"/features/get/new/mac/"; http_uri; content:!"User-Agent\|3A\|"; http_header; content:!"Content-"; http_header; content:!"Accept-"; http_header; content:!"Connection\|3A\|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:trojan-activity; sid:2016534; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TrojanSpy.MSIL Set Done Day CnC Beacon"; flow:established,to_server; content:"/features/set/done/day/"; http_uri; content:!"User-Agent\|3A\|"; http_header; content:!"Content-"; http_header; content:!"Accept-"; http_header; content:!"Connection\|3A\|"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:trojan-activity; sid:2016535; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/TrojanSpy.MSIL Fetch Header CnC Beacon"; flow:established,to_server; content:"/features/fetch/header/"; http_uri; content:!"User-Agent\|3A\|"; http_header; content:!"Content-"; http_header; content:!"Accept-"; http_header; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AMSIL%2FCrime.B; classtype:trojan-activity; sid:2016536; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO GET Minimal HTTP Headers Flowbit Set"; flow:established,to_server; content:"GET"; http_method; content:!"Accept"; http_header; content:!"If-"; http_header; content:!"Referer\|3A\|"; http_header; content:!"User-Agent\|3A\|"; http_header; fast_pattern; content:!"Content"; http_header; flowbits:set,min.gethttp; flowbits:noalert; classtype:bad-unknown; sid:2016537; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download"; flowbits:isset,min.gethttp; flow:established,to_client; file_data; content:"MZ"; within:2; content:"PE\|00 00\|"; distance:0; classtype:bad-unknown; sid:2016538; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Download non Jar file"; flow:established,to_server; content:!".jar"; http_uri; nocase; content:!".jnlp"; http_uri; nocase; content:" Java/1."; http_header; fast_pattern:only; flowbits:set,ET.JavaNotJar; flowbits:noalert; classtype:bad-unknown; sid:2016539; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool landing applet plus class Mar 03 2013"; flow:established,to_client; file_data; content:"<applet"; content:"MyApplet"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016541; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016542; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016543; rev:1;) + +# +##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Eorezo.Adware CnC Beacon"; flow:established,to_server; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern:8,20; http_uri; content:"&x_format="; http_uri; content:"&x_pub_id="; http_uri; content:"&tag="; http_uri; content:"User-Agent\|3A\| Mozilla/4.0 (compatible\|3B\| Win32\|3B\| WinHttp.WinHttpRequest.5)"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99; classtype:trojan-activity; sid:2016546; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (6)"; flow:established,to_server; content:"/mypic.dll"; http_uri; nocase; fast_pattern:only; pcre:"/\/(w(?:hite\|orld)\|step)\/mypic\.dll$/U"; classtype:trojan-activity; sid:2016547; rev:9;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent\|3A\| Mozilla/5.0 (Windows NT 6.1\|3B\| WOW64) AppletWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11\|0D 0A\|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 http argument in applet (Neutrino/Angler)"; flow:established,from_server; file_data; content:"<applet "; pcre:"/^((?!<\/applet>).)+?[\x22\x27]aHR0cDov/Rs"; content:"aHR0cDov"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016549; rev:4;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:"/m"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/m[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2016551; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Trustezeb.C CnC Beacon"; flow:established,to_server; content:".php?ltype="; http_uri; content:"&ccr="; http_uri; content:"&id="; http_uri; content:"&stat="; http_uri; content:"&ver="; http_uri; content:"&loc="; http_uri; content:"&os="; http_uri; reference:url,www.abuse.ch/?p=5175; reference:url,www.virusradar.com/Win32_Trustezeb.C/description; classtype:trojan-activity; sid:2016552; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Urausy.C Checkin"; flow:to_server,established; urilen:>80; content:"GET"; http_method; pcre:"/^\/[a-z-_]+?\.(php\|html)$/Ui"; content:"User-Agent\|3a\| Mozilla/5.0 (Windows NT 6.1\|3b\| WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11\|0d 0a\|"; fast_pattern:86,20; depth:122; http_header; content:!"Referer\|3a\| "; http_header; content:!"Accept\|3a\| "; http_header; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016553; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (1) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kid.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016554; rev:5;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (2) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/dab.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016555; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (3) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/jot.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016556; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible FiestaEK CVE-2013-0431 Artifact (4) Mar 07 2013"; flow:established,to_server; urilen:10; content:"/kir.class"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016557; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (7)"; flow:established,to_server; content:"/get"; http_uri; fast_pattern:only; content:".jpg"; http_uri; content:!"Referer\|3a\| "; http_header; pcre:"/\/get(?:a+\|n+)\.jpg$/U"; classtype:trojan-activity; sid:2016559; rev:13;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Plugin Detect March 11 2013"; flow:to_client,established; file_data; content:"this.gondad = arrVersion"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016560; rev:9;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition\|3A\| form-data\|3B\| name=\|22\|sid\|22\|"; http_client_body; content:"Content-Disposition\|3A\| form-data\|3B\| name=\|22\|up\|22\|"; http_client_body; distance:0; content:"Content-Disposition\|3A\| form-data\|3B\| name=\|22\|ping\|22\|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition\|3A\| form-data\|3B\| name=\|22\|guid\|22\|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016561; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; content:"&i"; within:13; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; classtype:trojan-activity; sid:2016562; rev:4;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016563; rev:6;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 16-hex/q.php Jar Download"; flow:established,to_server; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016564; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LetsGo.APT Sleep CnC Beacon"; flow:established,to_server; content:"User-Agent\|3a\| sleep "; http_header; fast_pattern:only; pcre:"/\.html\?[0-9]{10}$/U"; pcre:"/User-Agent\x3a\x20sleep \d+[\r\x2c]/H"; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/the-dingo-and-the-baby.html; classtype:trojan-activity; sid:2016568; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.net"; content:"\|0a\|micorsofts\|03\|net\|00\|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016569; rev:3;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain micorsofts.com"; content:"\|0a\|micorsofts\|03\|com\|00\|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016570; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET DNS APT_NGO_wuaclt C2 Domain hotmal1.com"; content:"\|07\|hotmal1\|03\|com\|00\|"; nocase; fast_pattern:only; threshold: type limit, track by_src, count 1, seconds 300; reference:url,labs.alienvault.com; classtype:bad-unknown; sid:2016571; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT_NGO_wuaclt C2 Check-in"; flow:to_server,established; content:"/news/show.asp?id1="; http_uri; fast_pattern:only; content:"User-Agent\|3a\| Mozilla/4.0 \|28\|compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1"; http_header; reference:url,labs.alienvault.com; classtype:trojan-activity; sid:2016572; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN APT_NGO_wuaclt"; flow:to_server,established; content:"/pics/"; http_uri; content:".asp?id="; http_uri; content:"User-Agent\|3a\| Mozilla/4.0 \|28\|compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SP Q"; http_header; content:"\|0d 0a\|Cookies\|3a 20\|"; fast_pattern:only; reference:url,labs.alienvault.com; classtype:trojan-activity; sid:2016573; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Urausy.C Checkin 2"; flow:to_server,established; urilen:>80; content:"GET"; http_method; content:".html"; http_uri; fast_pattern:only; content:!"Referer\|3a\| "; http_header; content:!"Accept\|3a\| "; http_header; pcre:"/\/[a-z-_]{75,}\.html$/U"; content:"User-Agent\|3a 20\|Mozilla/5.0 (compatible\|3b\| MSIE "; depth:42; http_header; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016567; rev:3;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Database List"; flow:established,to_client; file_data; content:"<h1>Databases List</h1>"; classtype:bad-unknown; sid:2016574; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - MySQL Interface - Client Cookie mysql_web_admin="; flow:established,to_server; content:"mysql_web_admin_"; http_cookie; content:"mysql_web_admin"; fast_pattern:only; classtype:bad-unknown; sid:2016575; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Server Set Cookie mysql_web_admin="; flow:established,to_client; content:"mysql_web_admin_"; http_cookie; content:"mysql_web_admin"; fast_pattern:only; classtype:bad-unknown; sid:2016576; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Romanian Webshell"; flow:established,to_client; file_data; content:"Incarca fisier\|3a\|"; content:"Exeuta comada\|3a\|"; classtype:bad-unknown; sid:2016577; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SNET EK Downloading Payload"; flow:to_server,established; content:"/get?src="; http_uri; fast_pattern; content:"snet"; http_uri; distance:0; pcre:"/\/get\?src=[a-z]+snet$/U"; content:" WinHttp.WinHttpRequest"; http_header; classtype:trojan-activity; sid:2016566; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dorkbot Loader Payload Request"; flow:established,to_server; content:"Mozilla/4.0\|0D 0A\|Host\|3a\|"; http_header; content:".exe"; http_uri; fast_pattern; urilen:<11; reference:md5, 3452c20fd0df69ccfdea520a6515208a; classtype:trojan-activity; sid:2016578; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN APT_NGO_wuaclt PDF file"; flow:from_server,established; file_data; content:"%PDF-"; within:5; content:"\|3C 21 2D 2D 0D 0A 63 57 4B 51 6D 5A 6C 61 56 56 56 56 56 56 56 56 56 56 56 56 56 63 77 53 64 63 6A 4B 7A 38 35 6D 37 4A 56 6D 37 4A 46 78 6B 5A 6D 5A 6D 52 44 63 5A 58 41 73 6D 5A 6D 5A 7A 42 4A 31 79 73 2F 4F 0D 0A\|"; within:200; reference:url,labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/; classtype:trojan-activity; sid:2016579; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DynDNS Pro Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:i(?:s(?:-(?:a(?:-(?:(?:(?:h(?:ard-work\|unt)e\|financialadviso)r\|d(?:e(?:mocrat\|signer)\|octor)\|t(?:e(?:acher\|chie)\|herapist)\|r(?:epublican\|ockstar)\|n(?:ascarfan\|urse)\|anarchist\|musician)\.com\|c(?:(?:(?:ubicle-sla\|onservati)ve\|pa)\.com\|a(?:ndidate\.org\|terer\.com)\|hef\.(?:com\|net\|org)\|elticsfan\.org)\|l(?:i(?:ber(?:tarian\|al)\.com\|nux-user\.org)\|(?:a(?:ndscap\|wy)er\|lama)\.com)\|p(?:(?:ersonaltrain\|hotograph\|lay)er\.com\|a(?:inter\.com\|tsfan\.org))\|b(?:(?:(?:ookkeep\|logg)er\|ulls-fan)\.com\|ruinsfan\.org)\|s(?:o(?:cialist\.com\|xfan\.org)\|tudent\.com)\|g(?:eek\.(?:com\|net\|org)\|(?:reen\|uru)\.com)\|knight\.org)\|n-(?:a(?:c(?:t(?:ress\|or)\|countant)\|(?:narch\|rt)ist)\|en(?:tertain\|gine)er)\.com)\|(?:into-(?:(?:car(?:toon)?\|game)s\|anime)\|(?:(?:not-)?certifie\|with-theban)d\|uberleet\|gone)\.com\|(?:very-(?:(?:goo\|ba)d\|sweet\|evil\|nice)\|found)\.org\|s(?:aved\.org\|lick\.com)\|l(?:eet\.com\|ost\.org)\|by\.us)\|a-(?:geek\.(?:com\|net\|org)\|hockeynut\.com)\|t(?:eingeek\|mein)\.de\|smarterthanyou\.com)\|n-the-band\.net\|amallama\.com)\|f(?:rom-(?:(?:i[adln]\|w[aivy]\|o[hkr]\|[hr]i\|d[ce]\|k[sy]\|p[ar]\|s[cd]\|t[nx]\|v[at]\|fl\|ga\|ut)\.com\|m(?:[adinost]\.com\|e\.org)\|n(?:[cdehjmv]\.com\|y\.net)\|a(?:[klr]\.com\|z\.net)\|c(?:[at]\.com\|o\.net)\|la\.net)\|or(?:-(?:(?:(?:mor\|som\|th)e\|better)\.biz\|our\.info)\|got\.h(?:er\|is)\.name)\|uettertdasnetz\.de\|tpaccess\.cc)\|s(?:e(?:l(?:ls(?:-(?:for-(?:less\|u)\.com\|it\.net)\|yourhome\.org)\|fip\.(?:info\|biz\|com\|net\|org))\|rve(?:bbs\.(?:com\|net\|org)\|ftp\.(?:net\|org)\|game\.org))\|(?:aves-the-whales\|pace-to-rent\|imple-url)\.com\|crapp(?:er-site\.net\|ing\.cc)\|tuff-4-sale\.(?:org\|us)\|hacknet\.nu)\|d(?:o(?:es(?:ntexist\.(?:com\|org)\|-it\.net)\|ntexist\.(?:com\|net\|org)\|omdns\.(?:com\|org))\|yn(?:a(?:lias\.(?:com\|net\|org)\|thome\.net)\|-o-saur\.com\|dns\.ws)\|ns(?:alias\.(?:com\|net\|org)\|dojo\.(?:com\|net\|org))\|vrdns\.org)\|h(?:o(?:me(?:linux\.(?:com\|net\|org)\|unix\.(?:com\|net\|org)\|(?:\.dyn)?dns\.org\|ftp\.(?:net\|org)\|ip\.net)\|bby-site\.(?:com\|org))\|ere-for-more\.info\|am-radio-op\.net)\|b(?:log(?:dns\.(?:com\|net\|org)\|site\.org)\|(?:uyshouses\|roke-it)\.net\|arrel?l-of-knowledge\.info\|oldlygoingnowhere\.org\|etter-than\.tv)\|g(?:o(?:tdns\.(?:com\|org)\|\.dyndns\.org)\|ame-(?:server\.cc\|host\.org)\|et(?:myip\.com\|s-it\.net)\|roks-th(?:is\|e)\.info)\|e(?:st-(?:(?:a-la-ma(?:is\|si)\|le-patr)on\|mon-blogueur)\.com\|ndof(?:internet\.(?:net\|org)\|theinternet\.org))\|l(?:e(?:btimnetz\|itungsen)\.de\|ikes(?:candy\|-pie)\.com\|and-4-sale\.us)\|m(?:i(?:sconfused\.org\|ne\.nu)\|yp(?:hotos\.cc\|ets\.ws)\|erseine\.nu)\|w(?:ebhop\.(?:info\|biz\|net\|org)\|ritesthisblog\.com\|orse-than\.tv)\|t(?:eaches-yoga\.com\|raeumtgerade\.de\|hruhere\.net)\|k(?:icks-ass\.(?:net\|org)\|nowsitall\.info)\|o(?:ffice-on-the\.net\|n-the-web\.tv)\|(?:neat-url\|cechire)\.com\|podzone\.(?:net\|org)\|at-band-camp\.net\|readmyblog\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016580; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to ChangeIP Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:m(?:y(?:p(?:op3\.(?:net\|org)\|icture\.info)\|n(?:etav\.(?:net\|org)\|umber\.org)\|(?:secondarydns\|lftv\|03)\.com\|d(?:ad\.info\|dns\.com)\|ftp\.(?:info\|name)\|www\.biz\|z\.info)\|(?:r(?:b(?:asic\|onus)\|(?:slov\|fac)e)\|efound)\.com\|oneyhome\.biz)\|d(?:yn(?:amic(?:dns\.(?:(?:org\|co\|me)\.uk\|biz)\|-dns\.net)\|dns\.pro\|ssl\.com)\|ns(?:(?:-(?:stuff\|dns)\|0[45]\|et\|rd)\.com\|[12]\.us)\|dns\.(?:m(?:e\.uk\|obi\|s)\|info\|name\|us)\|(?:smtp\|umb1)\.com\|hcp\.biz)\|(?:j(?:u(?:ngleheart\|stdied)\|etos\|kub)\|y(?:ou(?:dontcare\|rtrap)\|gto)\|4(?:mydomain\|dq\|pu)\|q(?:high\|poe)\|2(?:waky\|5u)\|z(?:yns\|zux)\|vizvaz\|1dumb)\.com\|s(?:e(?:(?:llclassics\|rveusers?\|ndsmtp)\.com\|x(?:idude\.com\|xxy\.biz))\|quirly\.info\|sl443\.org\|ixth\.biz)\|o(?:n(?:mypc\.(?:info\|biz\|net\|org\|us)\|edumb\.com)\|(?:(?:urhobb\|cr)y\|rganiccrap\|tzo)\.com)\|f(?:ree(?:(?:ddns\|tcp)\.com\|www\.(?:info\|biz))\|a(?:qserv\|rtit)\.com\|tp(?:server\|1)\.biz)\|a(?:(?:(?:lmostm\|cmeto)y\|mericanunfinished)\.com\|uthorizeddns\.(?:net\|org\|us))\|n(?:s(?:0(?:1\.(?:info\|biz\|us)\|2\.(?:info\|biz\|us))\|[123]\.name)\|inth\.biz)\|c(?:hangeip\.(?:n(?:ame\|et)\|org)\|leansite\.(?:info\|biz\|us)\|ompress\.to)\|i(?:(?:t(?:emdb\|saol)\|nstanthq\|sasecret\|kwb)\.com\|ownyour\.(?:biz\|org))\|p(?:ort(?:relay\.com\|25\.biz)\|canywhere\.net\|roxydns\.com)\|g(?:r8(?:domain\|name)\.biz\|ettrials\.com\|ot-game\.org)\|l(?:flink(?:up\.(?:com\|net\|org)\|\.com)\|ongmusic\.com)\|t(?:o(?:ythieves\.com\|h\.info)\|rickip\.(?:net\|org))\|x(?:x(?:xy\.(?:info\|biz)\|uz\.com)\|24hr\.com)\|w(?:ww(?:host\|1)\.biz\|ikaba\.com\|ha\.la)\|e(?:(?:smtp\|dns)\.biz\|zua\.com\|pac\.to)\|(?:rebatesrule\|3-a)\.net\|https443\.(?:net\|org)\|bigmoney\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016581; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to NOIP Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:e(?:rve(?:(?:(?:(?:counterstri\|qua)k\|exchang\|gam)e\|h(?:alflife\|umour\|ttp)\|p(?:ics\|2p)\|sarcasm\|ftp\|mp3)\.com\|b(?:eer\.com\|log\.net))\|curity(?:exploit\|tactic)s\.com)\|tufftoread\.com\|ytes\.net)\|m(?:y(?:(?:(?:dissen\|effec)t\|mediapc\|psx)\.net\|securitycamera\.(?:com\|net\|org)\|(?:activedirectory\|vnc)\.com\|ftp\.(?:biz\|org))\|lbfan\.org\|mafan\.biz)\|n(?:o(?:-ip\.(?:c(?:o\.uk\|a)\|info\|biz\|net)\|ip\.(?:me\|us))\|et-freaks\.com\|flfan\.org\|hlfan\.net)\|d(?:(?:itchyourip\|amnserver\|ynns)\.com\|ns(?:iskinky\.com\|for\.me)\|dns\.(?:net\|me)\|vrcam\.info)\|h(?:o(?:mesecurity(?:ma\|p)c\.com\|pto\.(?:org\|me))\|ealth-carereform\.com)\|p(?:(?:rivatizehealthinsurance\|gafan)\.net\|oint(?:2this\.com\|to\.us))\|c(?:(?:o(?:uchpotatofries\|llegefan)\|able-modem)\.org\|iscofreak\.com)\|b(?:logsyte\.com\|ounceme\.net\|rasilia\.me)\|re(?:ad-books\.org\|directme\.net)\|u(?:nusualperson\.com\|fcfan\.org)\|w(?:orkisboring\.com\|ebhop\.me)\|g(?:eekgalaxy\.com\|olffan\.us)\|eating-organic\.net\|ilovecollege\.info\|fantasyleague\.cc\|quicksytes\.com\|loginto\.me\|zapto\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016582; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DNSDynamic Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:d(?:ns(?:d(?:ynamic\.(?:com\|net)\|\.(?:info\|me))\|api\.info\|get\.org\|53\.biz)\|dns01\.com)\|(?:f(?:lashserv\|e100\|tp21)\|adultdns\|mysq1\|wow64)\.net\|(?:(?:ima\|voi)p01\|(?:user\|ole)32\|kadm5)\.com\|t(?:tl60\.(?:com\|org)\|empors\.com\|ftpd\.net)\|s(?:sh(?:01\.com\|22\.net)\|ql01\.com)\|http(?:(?:s443\|01)\.com\|80\.info)\|n(?:s360\.info\|tdll\.net)\|x(?:ns01\.com\|64\.me)\|craftx\.biz)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016583; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to DtDNS Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:(?:b(?:bsindex\|0ne)\|chatnook\|gotgeeks\|3d-game\|4irc)\.com\|s(?:(?:cieron\|uroot)\.com\|lyip\.(?:com\|net))\|d(?:arktech\.org\|eaftone\.com\|tdns\.net)\|e(?:towns\.(?:net\|org)\|ffers\.com)\|flnet\.org)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016584; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:8;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to a .opengw.net Open VPN Relay Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|opengw\|03\|net\|00\|"; nocase; fast_pattern:only; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Jar Naming Pattern March 03 2013"; flow:established,to_server; content:".jar"; http_uri; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9]{2}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016588; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit URI Struct Flowbit"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{4}\.html?(\?[h-j]=\d+)?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2016589; rev:6;) + +# +alert udp any 53 -> $HOME_NET any (msg:"ET DNS Reply Sinkhole - 46.149.18.14 blacklistthisdomain.com"; content:"\|00 01 00 01\|"; content:"\|00 04 2e 95 12 0e\|"; distance:4; within:6; classtype:trojan-activity; sid:2016591; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN RevProxy Java Settings"; flow:established,to_client; file_data; content:"USE_USERAGENT="; content:"DELAY_BETWEEN_SYNCS="; content:"CONNECTION_TIMEOUT="; classtype:trojan-activity; sid:2016592; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedDotv2 Java Check-in"; flow:established,to_server; content:"/search/"; http_uri; content:" Java/1."; http_header; fast_pattern:only; pcre:"/^\/search\/[0-9]{64}/U"; classtype:trojan-activity; sid:2016593; rev:5;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to cd.am Dynamic DNS Domain"; flow:to_server,established; content:" Java/1."; http_header; content:"cd.am"; http_header; nocase; pcre:"/^Host\x3a\x20[^\r\n]+\.cd\.am(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016595; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection (varchar2)"; flow:established,to_server; content:"varchar2("; nocase; http_uri; reference:url,doc.emergingthreats.net/2008175; classtype:attempted-admin; sid:2016596; rev:5;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CrimeBoss - Java Exploit - m11.jar"; flow:established,to_server; content:"/m11.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016597; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - jmx.jar"; flow:established,to_server; content:"/jmx.jar"; http_uri; content:" Java/"; http_header; content:!"hermesjms.com"; http_header; classtype:trojan-activity; sid:2016598; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|peocity\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|rusview\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|skyruss\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|commanal\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|natareport\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0c\|photogellrey\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0f\|photogalaxyzone\|03\|com\|00\|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|insdet\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|creditrept\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0c\|pollingvoter\|03\|org\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|dfasonline\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|hudsoninst\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|wsurveymaster\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|nhrasurvey\|03\|org\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|pdi2012\|03\|org\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|nceba\|03\|org\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|linkedin-blog\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|aafbonus\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|milstars\|03\|org\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|vatdex\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|14\|insightpublicaffairs\|03\|org\|00\|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|applesea\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|appledmg\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0c\|appleintouch\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0f\|seyuieyahooapis\|03\|com\|00\|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|appledns\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0e\|emailserverctr\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0f\|dailynewsjustin\|03\|com\|00\|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0f\|hi-tecsolutions\|03\|org\|00\|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|slashdoc\|03\|org\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0c\|photosmagnum\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0b\|resume4jobs\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|searching-job\|03\|net\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|servagency\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0b\|gsasmartpay\|03\|org\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|tech-att\|03\|com\|00\|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/GameThief Initial CnC Beacon"; flow:established,to_server; content:"/count/bindplugin.ini"; http_uri; content:"User-Agent\|3A\| NSISDL/1.2 (Mozilla)"; http_header; classtype:trojan-activity; sid:2016637; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Depyot.Downloader CnC Beacon"; flow:established,to_server; content:"/pdf.php?id="; http_uri; fast_pattern; content:"User-Agent\|3A\| Mozilla/4.0 (compatible)\|0D 0A\|"; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FDepyot.A&ThreatID=-2147288740; classtype:trojan-activity; sid:2016638; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletHigh.jar"; flow:established,to_server; content:"/AppletHigh.jar"; http_uri; content:" Java/1."; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016639; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Watering Hole applet name AppletLow.jar"; flow:established,to_server; content:"/AppletLow.jar"; http_uri; content:" Java/1."; http_header; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/03/internet-explorer-8-exploit-found-in-watering-hole-campaign-targeting-chinese-dissidents.html; classtype:trojan-activity; sid:2016640; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"#!/usr/bin/perl"; nocase; http_client_body; fast_pattern:only; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016641; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Perl Shell in HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"#!/bin/sh"; nocase; http_client_body; fast_pattern:only; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2016642; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; nocase; within:500; pcre:"/^[\r\n\s]=[\r\n\s](?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Galock Ransomware Check-in"; flow:established,to_server; content:"&os="; http_uri; content:"&hostname="; http_uri; content:"&codepage="; http_uri; content:"&account"; http_uri; content:"\|3a\| Mozilla/4.1 "; http_header; fast_pattern:only; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016644; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Galock Ransomware Command"; flow:established,from_server; file_data; content:"[LOCK]"; within:6; isdataat:!1,relative; reference:url,twitter.com/kafeine/status/314859973064667136/photo/1; classtype:trojan-activity; sid:2016645; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Web Capture [8-9].0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Web Capture "; pcre:"/^[8-9]\.0/R"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016646; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe LiveCycle Designer ES 8.2"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe LiveCycle Designer ES 8.2"; fast_pattern:11,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016647; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Python PDF Library"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Python PDF Library - http\|3a\|//pybrary.net/pyPdf/"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016648; rev:3;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 9.0.0 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 9.0.0 (Windows)"; fast_pattern:3,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016649; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Acrobat Distiller 6.0.1 (Windows)"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Acrobat Distiller 6.0.1 (Windows)"; fast_pattern:3,20; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016650; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator pdfeTeX-1.21a"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"pdfeTeX-1.21a"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016651; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe Acrobat 9.2.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe Acrobat 9.2.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016652; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Old/Rare PDF Generator Adobe PDF Library 9.0"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:"Adobe PDF Library 9.0"; reference:url,carnal0wnage.attackresearch.com/2013/03/apt-pdfs-and-metadata-extraction.html; classtype:not-suspicious; sid:2016653; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"\|20 3b\|"; within:2; content:"\|3d 24 00 00\|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [CrowdStrike] ANCHOR PANDA - Adobe Gh0st Beacon"; flow:established, to_server; content: "Adobe"; depth:5; content:"\|e0 00 00 00 78 9c\|"; distance: 4; within:15; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016656; rev:2;) + +# +##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - Poison Ivy Keep-Alive - From Controller"; dsize:48; flow:established, from_server; content:"\|54 90 1d b0 18 1b 7c ce f4 5b 24 2f ec c7 d2 21\|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016657; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED [CrowdStrike] ANCHOR PANDA - Poison Ivy Keep-Alive - From Victim"; dsize:48; flow: established, to_server; content: "\|af c0 bb 65 5d 07 e0 0d bf ab 75 2f 82 79 ae 26\|"; depth:16; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016658; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message Header Local"; flow:established, to_server; dsize:16; content:"\|00 00 00 11 c8 00 00 00 00 00 00 00 00 00 00 00\|"; depth:16; flowbits:set,ET.Torn.toread_header; flowbits: noalert; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016659; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [CrowdStrike] ANCHOR PANDA Torn RAT Beacon Message"; dsize: 200; flow: to_server,established; flowbits:isset,ET.Torn.toread_header; content:"\|40 7e 7e 7e\|"; offset:196; depth:4; reference:url,blog.crowdstrike.com/whois-anchor-panda/index.html; classtype:trojan-activity; sid:2016660; rev:2;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:2;) + +# +#alert udp $HOME_NET any -> any 53 (msg:"ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|tracker"; fast_pattern; distance:0; threshold: type both, count 3, seconds 10, track by_src; classtype:policy-violation; sid:2016662; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"\|81 f2 90 00 cf a8 00 00\|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016663; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mssql_query)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"mssql_query"; distance:0; classtype:bad-unknown; sid:2016664; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mssql_query)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"mssql_query"; distance:0; classtype:bad-unknown; sid:2016665; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (pgsql_query)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"pgsql_query"; distance:0; classtype:bad-unknown; sid:2016666; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (pgsql_query)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"pgsql_query"; distance:0; classtype:bad-unknown; sid:2016667; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (mysql_query)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"mysql_query"; distance:0; classtype:bad-unknown; sid:2016668; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (mysql_query)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"mysql_query"; distance:0; classtype:bad-unknown; sid:2016669; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (SqlException)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"SqlException"; distance:0; classtype:bad-unknown; sid:2016670; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (SqlException)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"SqlException"; distance:0; classtype:bad-unknown; sid:2016671; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"error in your SQL syntax"; fast_pattern:only; classtype:bad-unknown; sid:2016672; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (error in your SQL syntax)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"error in your SQL syntax"; distance:0; classtype:bad-unknown; sid:2016673; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ERROR syntax error at or near)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ERROR\|3a\| syntax error at or near"; distance:0; classtype:bad-unknown; sid:2016674; rev:2;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ERROR syntax error at or near)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ERROR\|3a\| syntax error at or near"; distance:0; classtype:bad-unknown; sid:2016675; rev:2;) + +# +#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016676; rev:1;) + +# +#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER SQL Errors in HTTP 500 Response (ORA-)"; flow:from_server,established; content:"500"; http_stat_code; file_data; content:"ORA-"; distance:0; classtype:bad-unknown; sid:2016677; rev:1;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013"; flow:established,from_server; file_data; content:"0153,0137,0153,0137,070,0166"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016678; rev:3;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SERVER WebShell - Simple - Title"; flow:established,to_client; file_data; content:"- Simple Shell</title>"; classtype:bad-unknown; sid:2016679; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - net user"; flow:established,to_server; content:"POST"; http_method; content:"net"; nocase; http_client_body; fast_pattern; content:!"work"; within:4; nocase; http_client_body; content:"user"; nocase; within:11; http_client_body; content:!"-agent"; nocase; http_client_body; within:6; classtype:bad-unknown; sid:2016680; rev:6;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - netsh firewall"; flow:established,to_server; content:"netsh"; nocase; fast_pattern; http_client_body; content:"firewall"; within:15; http_client_body; classtype:bad-unknown; sid:2016681; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - reg HKEY_LOCAL_MACHINE"; flow:established,to_server; content:"reg"; nocase; http_client_body; content:"HKEY_LOCAL_MACHINE"; nocase; within:80; http_client_body; classtype:bad-unknown; sid:2016682; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - wget http - POST"; flow:established,to_server; content:"wget"; nocase; http_client_body; content:"http"; nocase; http_client_body; within:11; classtype:bad-unknown; sid:2016683; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - JSPCMD - Form"; flow:established,to_client; file_data; content:"<FORM METHOD=\"GET\" NAME=\"comments\" ACTION=\"\">"; classtype:bad-unknown; sid:2016684; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Delfinject Check-in"; flow:established,to_server; content: "\|44 4d 7f 49 51 48 50 62 7d 74 61 77 4e 55 32 2f\|"; depth:16; dsize:<65; reference:md5,90f8b934c541966aede75094cfef27ed; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=VirTool%3AWin32%2FDelfInject; classtype:trojan-activity; sid:2016685; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Anonymous FTP Login"; flow:to_server,established; content:"USER anonymous\|0d 0a\|PASS Java1."; fast_pattern:7,20; pcre:"/^\d\.\d(_\d+)?\@\r\n/R"; flowbits:set,ET.Java.FTP.Logon; classtype:misc-activity; sid:2016687; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET FTP Outbound Java Downloading jar over FTP"; flow:to_server,established; flowbits:set,ET.Java.FTP.Logon; content:".jar"; nocase; fast_pattern:only; content:"RETR "; pcre:"/^[^\r\n]+\.jar/Ri"; classtype:misc-activity; sid:2016688; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Enchanim Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"svchost.exe"; http_uri; fast_pattern:only; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 5.01\|3b\| Windows NT 5.0)"; http_header; reference:md5,539d3b15e9c3882ac70bb1ac7f90a837; classtype:trojan-activity; sid:2016707; rev:2;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL April 01 2013"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]value[\r\n\s]?=[\r\n\s]?[\x22\x27]?(\d{2,3})?(?P<sep>([^a-zA-Z0-9]{1,100}\|[a-zA-Z0-9]{1,100}))\d{2,3}((?P=sep)\d{2,3}){20}/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016705; rev:17;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>35; content:".php"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9A-Z]{15,35}\/((\d+[A-Z]){3}\d+\|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016706; rev:19;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - MySQL Interface - Auth Prompt"; flow:established,to_client; file_data; content:"bG9nb25fc3VibWl0"; classtype:bad-unknown; sid:2016689; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kovter Ransomware Check-in"; flow:established,to_server; content:".php?mode="; nocase; http_uri; content:"&OS="; nocase; http_uri; content:"&OSbit="; http_uri; nocase; fast_pattern:only; reference:url,www.botnets.fr/index.php/Kovter; reference:md5,82d0e4f8b34d6d39ee4ff59d0816ec05; classtype:trojan-activity; sid:2016690; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/7"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/7"; fast_pattern:1,20; nocase; http_header; classtype:bad-unknown; sid:2016692; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/8"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/8"; fast_pattern:1,20; nocase; http_header; classtype:bad-unknown; sid:2016693; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/9"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/9"; fast_pattern:1,20; nocase; http_header; classtype:bad-unknown; sid:2016694; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS UA starting with Mozilla/0"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/0"; fast_pattern:1,20; nocase; http_header; classtype:bad-unknown; sid:2016695; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/svchost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/svchost\.exe$/Ui"; classtype:bad-unknown; sid:2016696; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlogon\.exe$/Ui"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lsass\.exe$/Ui"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:11;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/explorer\.exe$/Ui"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/smss\.exe$/Ui"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/csrss\.exe$/Ui"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:11;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/rundll32\.exe$/Ui"; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:11;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:"<apABCplet"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016704; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (3)"; flow:established,to_server; content:"/m1"; http_uri; nocase; content:".jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; pcre:"/\/m1[1-6]\.jar$/U"; classtype:trojan-activity; sid:2016708; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss Recent Jar (4)"; flow:established,to_server; content:"/cmm.jar"; http_uri; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016709; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus User-Agent(z00sAgent)"; flow:to_server,established; content:"User-Agent\|3a\| z00sAgent"; fast_pattern:12,9; http_header; reference:md5,e94fb19f3a38f9b2a775b925e4c0abe3; classtype:trojan-activity; sid:2016710; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|android\|06\|uyghur\|04\|dnsd\|02\|me\|00\|"; nocase; fast_pattern; distance:0; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:2;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type\|3A 20 0D 0A\|"; http_header; classtype:bad-unknown; sid:2016712; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; content:"301"; http_stat_code; content:"Moved Permanently"; http_stat_msg; content:"/update/winword.pkg"; http_header; pcre:"/Location\x3A[^\r\n]\x2Fupdate\x2Fwinword\x2Epkg/H"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016713; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray"; flow:established,to_client; file_data; content:"\|5C\|0c\|5C\|0c"; nocase; distance:0; classtype:bad-unknown; sid:2016714; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible Backslash Escaped UTF-16 0c0c Heap Spray"; flow:established,to_client; file_data; content:"\|5C\|0c0c"; nocase; distance:0; classtype:bad-unknown; sid:2016715; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)?[\r\n\s]src[\r\n\s]=[\r\n\s](?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}\|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016716; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)?[\r\n\s]src[\r\n\s]=[\r\n\s](?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}\|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016717; rev:3;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)?[\r\n\s]src[\r\n\s]=[\r\n\s](?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}\|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016718; rev:3;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"<iframe"; pcre:"/^((?!<\/iframe).)?[\r\n\s]src[\r\n\s]=[\r\n\s](?P<q1>[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}\|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016719; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sakura Jar Download SET"; flow:established,to_server; content:".php"; http_uri; content:" Java/1."; http_header; fast_pattern; flowbits:set,ET.Sakura.php.Java; flowbits:noalert; classtype:trojan-activity; sid:2016720; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type\|3a\| application/x-java-archive\|0d 0a\|"; http_header; fast_pattern:22,20; pcre:"/Last-Modified\x3a Mon, (?!(?:0[29]\|16\|23\|30))\d{2} Jul 2001/H"; classtype:trojan-activity; sid:2016721; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016722; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 32-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:33; depth:7; http_uri; pcre:"/^\/[0-9a-f]{32}\/ff\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016723; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016724; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 16-hex/ff.php Jar Download"; flow:established,to_server; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016725; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"\|3b\|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]\|1\d)\|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/BaneChant.APT Data Exfiltration POST to CnC"; flow:established,to_server; content:"POST"; http_method; content:"/adserv/get.php"; fast_pattern:only; http_uri; content:"User-Agent\|3A 20\|Mozilla/4.0 (compatible\|3B\| MSIE 6.0\|3B\| Windows NT 5.1\|3B\| SV2)\|0D 0A\|"; http_header; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016727; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/BaneChant.APT Initial CnC Beacon"; flow:established,to_server; content:"/adserv/logo.jpg"; fast_pattern:only; http_uri; content:"User-Agent\|3A 20\|Mozilla/4.0 (compatible\|3B\| MSIE 6.0\|3B\| Windows NT 5.1\|3B\| SV2)\|0D 0A\|"; http_header; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016728; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016729; rev:9;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-9a-f]{2,4})(?P<sep>[\x2e\x2c\x3b\x3a])(?P<d>(?!(?P=p))[0-9a-f]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-9a-f]{2,4}(?P=sep)){10}(?P<q>(?!((?P=p)\|(?P=d)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P<dot>(?!((?P=p)\|(?P=d)\|(?P=q)))[0-9a-f]{2,4})(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-9a-f]{2,4}(?P=sep)(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016730; rev:13;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Revoyem Ransomware Check-in"; flow:established,to_server; content:".php?id="; http_uri; content:"&os="; http_uri; content:"&bot_id="; http_uri; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}&os=\d\.\d[^&]&bot_id=/U"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016731; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Revoyem Ransomware Activity"; flow:established,to_server; content:".php?id="; http_uri; content:"&gr"; http_uri; fast_pattern:only; pcre:"/\.php\?id=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}-(\d{1,3}\.){3}\d{1,3}&gr/U"; reference:url,www.botnets.fr/index.php/Revoyem; classtype:trojan-activity; sid:2016732; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"\|74 3d c0 19\|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016733; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/wmck.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016735; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS GonDadEK Java Exploit Requested"; flow:established,to_server; content:"/ckwm.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016736; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)?(Exp\|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:10;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Citadel Infection or Config URL Request"; flow:established,to_server; content:"/file.php\|7C\|file="; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel File.php CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/administrator/templates/system/html/file.php"; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016739; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel Content.php CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/administrator/modules/mod_menu/tmpl/content.php"; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016740; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel Pro File.php CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/pro/file.php"; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016741; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible W32/Citadel Download From CnC Server Self Referenced /files/ attachment"; flow:established,to_client;content:" filename=\|22\|%2e/files/"; nocase; http_header; pcre:"/\sfilename=\x22\%2e\/files\/[^\x22\x2f\r\n]+?\x22\r\n/H"; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016742; rev:7;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Citadel Conf.bin Download From CnC Server"; flow:established,to_client; content:"filename=\|22\|%2e/files/conf.bin\|22\|"; nocase; http_header; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016743; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY NSISDL Iplookup.php IPCheck"; flow:established,to_server; content:"/iplookup.php"; http_uri; fast_pattern; content:"User-Agent\|3A\| NSISDL/1.2 (Mozilla)"; http_header; classtype:trojan-activity; sid:2016744; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/NSISDL.Downloader CnC Server Response"; flow:established,to_client; file_data; content:"[install 1]"; within:11; content:"Ins="; within:40; classtype:trojan-activity; sid:2016746; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RansomCrypt Intial Check-in"; flow:to_server,established; content:"GET "; depth:4; pcre:"/^\/[a-zA-Z0-9]+\sHTTP/R"; content:"Windows NT 5.1\|3b\| ru\|3b\|"; distance:0; content:"Gecko/20100722 Firefox/3.6.12\|0d 0a\|Host\|3a\|"; distance:0; fast_pattern:16,20; classtype:trojan-activity; sid:2016748; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN RansomCrypt Getting Template"; flow:to_server,established; content:"GET /lnd/template="; fast_pattern; pcre:"/^[^\r\n]\/[a-z0-9]+\sHTTP/Ui"; content:"MSIE 7.0\|3b\| Windows NT 5.1\|3b\|"; distance:0; classtype:trojan-activity; sid:2016749; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit/Sakura applet + obfuscated URL Apr 10 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?(?i:value)[\r\n\s]=[\r\n\s][\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)\|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]+(?P=slash)/Rs"; classtype:trojan-activity; sid:2016751; rev:10;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino EK Plugin-Detect April 12 2013"; flow:established,from_server; file_data; content:"PluginDetect"; fast_pattern:only; nocase; content:"$(document).ready"; content:"function"; distance:0; pcre:"/\x28[\r\n\s]?(?P<qa1>[\x22\x27]?)[a-f0-9]{24}(?P=qa1)[\r\n\s]?,[\r\n\s]?(?P<qa2>[\x22\x27]?)[a-z0-9]{1,20}(?P=qa2)[\r\n\s]?/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016756; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016753; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via myip.dnsomatic.com - Possible Infection"; flow:established,to_server; content:"Host\|3a 20\|myip.dnsomatic.com\|0d 0a\|"; http_header; nocase; classtype:attempted-recon; sid:2016754; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\|[a-z0-9]{20,}+)\.php/U"; classtype:trojan-activity; sid:2016755; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Nymaim Checkin (2)"; flow:to_server,established; content:"POST"; http_method; content:"Content-Type\|3a\| application/x-www-form-urlencoded\|0d 0a\|"; http_header; nocase; content:" MSIE "; http_header; content:"filename="; depth:9; http_client_body; fast_pattern; content:"&data="; distance:0; http_client_body; pcre:"/^filename=[a-z]+?\.[a-z]+?&data=[^&]+?[\x00-\x09\x0B-\x0C\x0E-x1F\x7F\x80-\xFF]/P"; classtype:trojan-activity; sid:2016757; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Bitcoin Mining Extensions Header"; flow:to_server,established; content:"POST "; depth:5; content:"\|0d 0a\|X-Mining-Extensions\|3a\|"; distance:0; content:"\|0d 0a 0d 0a\|"; distance:0; classtype:policy-violation; sid:2016758; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Redyms.A Checkin"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; offset:6; depth:7; content:".net\|0d 0a\|"; http_header; pcre:"/^POST \/(?P<filep>[a-z]{5,8})\.php HTTP.+?\r\nHost\x3a\x20(?P=filep)[a-z]+?\.net\r\n/s"; content:!"Referer\|3a 20\|"; http_header; classtype:trojan-activity; sid:2016759; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - PHPShell - Comment"; flow:established,to_client; file_data; content:"<!-- PHPShell "; classtype:attempted-user; sid:2016760; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PHPShell - Haxplorer URI"; flow:established,to_server; content:".php?&s=r&cmd=dir&dir="; http_uri; classtype:attempted-user; sid:2016761; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PHPShell - PHPKonsole URI"; flow:established,to_server; content:".php?&s=r&cmd=con"; http_uri; classtype:attempted-user; sid:2016762; rev:1;) + +# +alert tcp 188.95.234.6 any -> $HOME_NET [22,443] (msg:"ET SCAN Non-Malicious SSH/SSL Scanner on the run"; flags: S,12; threshold: type limit, track by_src, seconds 60, count 1; reference:url,pki.net.in.tum.de/node/21; reference:url,isc.sans.edu/diary/SSH%2bscans%2bfrom%2b188.95.234.6/15532; classtype:network-scan; sid:2016763; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO PDF Payload Download"; flow:established,to_server; content:"User-Agent\|3a 20\|http\|3a\|//"; http_header; fast_pattern:only; pcre:"/^GET (?P<uri>(\/[A-Za-z0-9]+)?\/\d+\/\d+)\sHTTP/1\.1\r\nUser-Agent\x3a\x20http\x3a\/\/(?P<host>[^\r\n]+)(?P=uri)\r\nHost\x3a\x20(?P=host)\r\n(\r\n)?$/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016764; rev:13;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO PDF - Acrobat Enumeration - pdfobject.js"; flow:established,to_server; content:"/pdfobject.js"; http_uri; fast_pattern:only; classtype:misc-activity; sid:2016765; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF - Acrobat Enumeration - var PDFObject"; flow:established,to_client; file_data; content:"var PDFObject="; classtype:misc-activity; sid:2016766; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - SCR in PKZip Compressed Data Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:".scr"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2016767; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Dorkbot.AR Join IRC channel"; flow:to_server,established; content:"NICK n\|7B\|"; depth:7; nocase; pcre:"/^\S{2,3}[\x2d\x7c]\S+?[au]\x7D\w{8}/Ri"; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32/Dorkbot.AR; reference:md5,7e76c7db8706511fc59508af4aef27fa; classtype:trojan-activity; sid:2016768; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Enchanim Check-in Response"; flow:established,to_client; file_data; content:"\|3a\|some_magic_code1"; distance:9; within:29; isdataat:!1,relative; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016769; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Enchanim Process List Dump"; flow:to_server,established; content:"GET"; http_method; content:"&pl=\|5b\|System\|20\|Process"; http_uri; content:"svchost.exe"; http_uri; content:"&r="; http_uri; content:"&g="; http_uri; content:"&s="; http_uri; content:"&c="; http_uri; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016770; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Enchanim C2 Injection Download"; flow:established,to_client; content:"set_url "; content:"\|0d 0a\|data_before\|0d 0a\|"; distance:0; content:"\|0d 0a\|data_end\|0d 0a\|"; distance:0; content:"\|0d 0a\|data_inject\|0d 0a\|"; distance:0; fast_pattern; content:"\|0d 0a\|data_end\|0d 0a\|"; distance:0; content:"\|0d 0a\|data_after\|0d 0a\|"; distance:0; content:"\|0d 0a\|data_end\|0d 0a\|"; distance:0; reference:md5,2642999a085443e9055b292c4d405e64; reference:md5,37066ed52cd7510bf04808c332599f1c; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:2016771; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mutter Backdoor Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/index.aspx?i="; http_uri; fast_pattern:only; pcre:"/^(Host\x3a [^\r\n]+?\r\nConnection\x3a Keep-Alive\|Connection\x3a Keep-Alive\r\nHost\x3a [^\r\n]+?)\r\n(\r\n)?$/Hi"; reference:url,fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html; classtype:trojan-activity; sid:2016773; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET INFO Generic HTTP EXE Upload Inbound"; flow:established,to_server; content:"POST"; http_method; nocase; content:"MZ"; http_client_body; content:"\|00 00 00 00\|"; http_client_body; distance:0; content:"PE\|00 00\|"; http_client_body; fast_pattern; distance:0; classtype:misc-activity; sid:2016774; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Generic HTTP EXE Upload Outbound"; flow:established,to_server; content:"POST"; http_method; nocase; content:"MZ"; http_client_body; content:"\|00 00 00 00\|"; http_client_body; distance:0; content:"PE\|00 00\|"; http_client_body; fast_pattern; distance:0; classtype:misc-activity; sid:2016775; rev:1;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Apr 18 2013"; flow:established,from_server; file_data; content:"telppa"; pcre:"/(?P<p>[0-7]{2,4})(?P<sep>[^0-7])(?P<d>(?!(?P=p))[0-7]{2,4})(?P=sep)(?P=p)(?P=sep)(?P=d)(?P=sep)([0-7]{2,4}(?P=sep)){10}(?P<q>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P<dot>[0-7]{2,4})(?P=sep)[0-7]{2,4}(?P=sep)(?P=dot)(?P=sep)[0-7]{2,4}(?P=sep)(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016776; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP Request to a .pw domain"; flow:to_server,established; content:".pw"; nocase; fast_pattern; http_header; content:"\|0d 0a\|"; http_header; within:8; pcre:"/^Host\x3a[^\r\n]+?\.pw(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016777; rev:10;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DNS Query to a .pw domain - Likely Hostile"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|pw\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2016778; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]=\d_\d{5,}$/U"; content:!"Referer\|3a 20\|"; http_header; classtype:trojan-activity; sid:2016779; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; content:"?data="; http_uri; content:"&version="; http_uri; distance:0; content:"User-Agent\|3a\| win32\|0D 0A\|"; http_header; fast_pattern:only; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:trojan-activity; sid:2016780; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&\|3a\|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic"; flow:to_server,established; dsize:>11; content:"\|78 9c\|"; offset:9; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+.{8}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:trojan-activity; sid:2016922; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:trojan-activity; sid:2016782; rev:14;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Athena DDoS Bot Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/gate.php"; http_uri; content:"a="; http_client_body; depth:2; pcre:"/^a=(%[0-9A-Fa-f]{2})+\x26b=[0-9A-Za-z]+(%3[dD]){0,2}\x26c=(%[0-9A-Fa-f]{2})+$/P"; reference:md5,19ca0d830cd7b44e5de1ab85f4e17d82; classtype:trojan-activity; sid:2017633; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET POLICY Java Client on Common Sakura Ports"; flow:established,to_server; content:" Java/1."; fast_pattern:only; content:"\|0d 0a\|User-Agent\|3a\| Mozilla/"; pcre:"/^[^\r\n]+?Java\/1\./R"; flowbits:set,ET.http.javaclient.SakuraPorts; flowbits:noalert; classtype:misc-activity; sid:2016783; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:2;) + +# +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient.SakuraPorts; content:"\|0d 0a 0d 0a\|PK"; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 81:90 (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:" Java/1."; fast_pattern:only; content:"GET "; depth:4; pcre:"/^[^\r\n]\/[0-9]{4}\.html HTTP\/1\./R"; content:".html HTTP/1."; classtype:trojan-activity; sid:2016786; rev:2;) + +# +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient.SakuraPorts; content:"filename="; pcre:"/^[a-z]{4}\.txt\x0D\x0A/R"; classtype:trojan-activity; sid:2016787; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mfunc"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21\|\<\!)--[\r\n\s]?mfunc/Pi"; classtype:attempted-user; sid:2016788; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mclude"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21\|\<\!)--[\r\n\s]?mclude/Pi"; classtype:attempted-user; sid:2016789; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"dynamic-cached-content"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21\|\<\!)--[\r\n\s]?dynamic-cached-content/Pi"; classtype:attempted-user; sid:2016790; rev:1;) + +# +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; content:"value"; pcre:"/^[\r\n\s\+]?=[\r\n\s\+]?[\x22\x27]((?P<hex>%[A-Fa-f0-9]{2})\|(?P<ascii>[a-zA-Z0-9]))((?P=hex){10}\|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET WEB_SERVER Plesk Panel Possible HTTP_AUTH_LOGIN SQLi CVE-2012-1557"; flow:established,to_server; content:"POST "; depth:5; content:"/enterprise/control/agent.php"; distance:0; content:"HTTP_AUTH_LOGIN\|3a\|"; distance:0; pcre:"/^[^\r\n]?[\x27\x22\t\\%\x00\x08\x26]/R"; reference:cve,CVE-2012-1557; classtype:attempted-user; sid:2016792; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 1"; flow:from_server,established; content:"302"; http_stat_code; content:"/index.php?"; http_header; content:"JnN1cmk9"; http_header; fast_pattern; distance:0; pcre:"/^Location\x3a\x20\s?https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})(?:[A-Za-z0-9+\/]{2}==\|[A-Za-z0-9+\/]{3}=\|[A-Za-z0-9+\/]{4})\r$/Hmi"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016793; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Linux/Cdorked.A Incoming Command"; flow:established,to_server; content:"SECID="; fast_pattern:only; content:"SECID="; http_cookie; pcre:"/[&\?](?:4(?:4(?:3[123456789]\|41\|55)\|c(?:3[123456789]\|41))\|5(?:354\|431))(&\|$)/U"; classtype:attempted-user; sid:2016794; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN ET TROJAN TROJ_NAIKON.A SSL Cert"; flow:established,from_server; content:"\|55 04 03\|"; content:"\|04\|donc"; fast_pattern; distance:1; within:5; content:"\|55 04 0b\|"; content:"\|03\|abc"; distance:1; within:4; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:2016795; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:"<jnlp "; nocase; content:"__applet_ssv_validated"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016797; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java JNLP Requested"; flow:established,to_server; flowbits:isset,ET.http.javaclient; urilen:71; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2016798; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Flash Exploit Requested"; flow:established,to_server; urilen:70; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}\.swf$/Ui"; classtype:trojan-activity; sid:2016799; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Medfos Connectivity Check"; flow:established,to_server; content:"/uploading/id="; http_uri; fast_pattern:only; content:!"Referer\|3a 20\|"; http_header; pcre:"/^\/uploading\/id=\d{2,20}&u=(?:[A-Za-z0-9+/]{4})(?:[A-Za-z0-9+/]{2}==\|[A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{4})$/I"; classtype:misc-activity; sid:2016800; rev:3;) + +# +alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear landing with obfuscated plugindetect Apr 29 2013"; flow:established,from_server; content:"visibility\|3a\|hidden"; pcre:"/(?P<e>\d{2})(?P<t>(?!(?P=e))\d{2})(?P=e)\d{2}(?P=t)\d{6}(?P=e)\d{12}(?P<q>(?!((?P=e)\|(?P=t)))\d{2})\d{2}(?P<dot>(?!((?P=e)\|(?P=t)\|(?P=q)))\d{2})\d{2}(?P=dot)\d{2}(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016801; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO myobfuscate.com Encoded Script Calling home"; flow:to_server,established; content:"/?getsrc="; http_uri; content:"&url="; http_uri; content:"api.myobfuscate.com\|0d\|"; http_header; nocase; fast_pattern:only; classtype:misc-activity; sid:2016802; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Known Sinkhole Response Header"; flow:established,to_client; content:"X-Sinkhole\|3a\| "; http_header; nocase; classtype:trojan-activity; sid:2016803; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - jreg.jar"; flow:established,to_server; content:"/jreg.jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016804; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern:only; classtype:trojan-activity; sid:2016805; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13"; flow:established,from_server; file_data; content:"Base64.decode"; nocase; fast_pattern:only; content:"eval("; nocase; pcre:"/^[\r\n\s]?Base64\.decode[\r\n\s]?\x28[\r\n\s]?[\x22\x27]/Ri"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016807; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cookies/Cookiebag Checkin"; flow:to_server,established; content:"/indexs.zip"; http_uri; fast_pattern:only; reference:md5,840BD11343D140916F45223BA05ABACB; classtype:trojan-activity; sid:2016808; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Urausy.C Checkin 3"; flow:to_server,established; urilen:>80; content:"GET"; http_method; content:".php"; http_uri; fast_pattern:only; content:!"Referer\|3a\| "; http_header; content:!"Accept\|3a\| "; http_header; pcre:"/\/[a-z-_]{75,}\.php$/U"; content:"User-Agent\|3a 20\|Mozilla/5.0 (compatible\|3b\| MSIE "; depth:42; http_header; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:trojan-activity; sid:2016809; rev:5;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (1)"; flow:established,from_server; content:"\|55 04 03\|"; content:"\|0d\|.tor2web.org"; nocase; distance:1; within:14; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016806; rev:4;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tor2Web .onion Proxy Service SSL Cert (2)"; flow:established,from_server; content:"\|55 04 03\|"; content:"\|0c\|.tor2web.fi"; nocase; distance:1; within:13; reference:url,uscyberlabs.com/blog/2013/04/30/tor-exploit-pak/; classtype:trojan-activity; sid:2016810; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Possible Redkit 1-4 char JNLP request "; flow:established,to_server; urilen:<11; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{1,4}\.jnlp$/U"; content:!"weather.aero"; http_header; classtype:trojan-activity; sid:2016811; rev:6;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Greencat SSL Certificate"; flow:established,from_server; content:"\|55 04 08 13 05\|Ocean"; fast_pattern:only; classtype:trojan-activity; sid:2016812; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Possible BlackHole request with decryption Base "; flow:established,to_server; content:"&jopa="; nocase; http_uri; fast_pattern:only; pcre:"/&jopa=\d+$/U"; classtype:trojan-activity; sid:2016813; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 2"; flow:from_server,established; content:"302"; http_stat_code; content:"/index.php?"; http_header; content:"mc3VyaT0"; http_header; fast_pattern; distance:0; pcre:"/^Location\x3a\x20\s?https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})(?:[A-Za-z0-9+\/]{2}==\|[A-Za-z0-9+\/]{3}=\|[A-Za-z0-9+\/]{4})\r$/Hmi"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016814; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Linux Backdoor Linux/Cdorked.A Redirect 3"; flow:from_server,established; content:"302"; http_stat_code; content:"/index.php?"; http_header; content:"ZzdXJpP"; http_header; fast_pattern; distance:0; pcre:"/^Location\x3a\x20\s?https?\:\/\/[a-f0-9]{16}\.[^\r\n]+?\/index\.php\?[a-z]=(?:[A-Za-z0-9+\/]{4})(?:[A-Za-z0-9+\/]{2}==\|[A-Za-z0-9+\/]{3}=\|[A-Za-z0-9+\/]{4})\r$/Hmi"; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016815; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Variant.Zusy.45802 Checkin"; flow:to_server,established; content:".php?uid="; fast_pattern:only; http_uri; content:"&affid="; http_uri; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1)\|0d 0a 0d 0a\|"; http_header; content:!"Referer\|3a 20\|"; http_header; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/Ui"; classtype:trojan-activity; sid:2016816; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DEEP PANDA Checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"/forum/login.cgi"; http_uri; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; fast_pattern:5,20; http_header; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:trojan-activity; sid:2016819; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DEEP PANDA Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"/Photos/Query.cgi?loginid="; http_uri; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; fast_pattern:5,20; http_header; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:trojan-activity; sid:2016820; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DEEP PANDA Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/Catelog/login1.cgi"; http_uri; fast_pattern; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,crowdstrike.com/sites/default/files/AdversaryIntelligenceReport_DeepPanda_0.pdf; classtype:trojan-activity; sid:2016821; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1347 IE 0-day used in DOL attack"; flow:established,to_client; file_data; content:".offsetParent"; nocase; pcre:"/^[\r\n\s]?=[\r\n\s]?(\x22{2}\|\x27{2}\|null)/Ri"; content:"datalist"; nocase; pcre:"/^[\x22\x27\s\>]/R"; content:".innerHTML"; nocase; distance:0; pcre:"/^[\r\n\s]?=[\r\n\s]?(\x22{2}\|\x27{2}\|null)/Ri"; content:"<!doctype html"; nocase; pcre:"/[\x22\x27\<]table[\x22\x27\>]/"; pcre:"/[\x22\x27\<]hr[\x22\x27\>]/"; content:"CollectGarbage"; nocase; fast_pattern:only; reference:cve,2013-1347; reference:url,labs.alienvault.com/labs/index.php/2013/u-s-department-of-labor-website-hacked-and-redirecting-to-malicious-code/; reference:url,technet.microsoft.com/en-us/security/advisory/2847140; classtype:attempted-user; sid:2016822; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Fake Opera 10 User-Agent"; flow:established,to_server; content:"\|3a 20\|Opera/10\|20\|"; http_header; fast_pattern:only; content:!"Accept\|3a 20\|"; http_header; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:2016823; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]?\x28[^\x29]?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Possible CollectGarbage in base64 1"; flow:established,from_server; file_data; content:"Q29sbGVjdEdhcmJhZ2U"; classtype:misc-activity; sid:2016825; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Possible CollectGarbage in base64 2"; flow:established,from_server; file_data; content:"NvbGxlY3RHYXJiYWdlK"; classtype:misc-activity; sid:2016826; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Suspicious Possible CollectGarbage in base64 3"; flow:established,from_server; file_data; content:"Db2xsZWN0R2FyYmFnZS"; classtype:misc-activity; sid:2016827; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Requsting Payload"; flow:established,to_server; content:"/FlashPlayer.cpl"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016828; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Checkin"; flow:established,to_server; content:"POST"; http_method; pcre:"/\/[a-z]\/$/Ui"; content:"(compatible\|3b\|"; http_header; content:" MSIE "; distance:0; http_header; content:"(Compatible\|3b\|"; fast_pattern; distance:0; http_header; classtype:trojan-activity; sid:2016829; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00\|3a\|00\|3a\|00\|3b\| path=/\|22 3b\|var j=0\|3b\| while(j"; classtype:trojan-activity; sid:2016830; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Requesting Jar"; flow:established,to_server; content:"/j21.jar"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016832; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn\|3a\|schemas-microsoft-com\|3a\|time"; nocase; content:"#default#time2"; content:"<t\|3a\|ANIMATECOLOR"; nocase; fast_pattern:only; content:"eval("; nocase; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016833; rev:5;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Trojan POST"; flow:established,to_server; content:"POST"; http_method; content:"Content-Length\|3a\| 0\|0d 0a\|"; http_header; content:"/a/"; http_uri; fast_pattern; content:"PHPSESSID="; http_cookie; content:!"Referer\|3a 20\|"; http_header; classtype:trojan-activity; sid:2016834; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern:only; content:"mail from\|3a\|"; nocase; pcre:"/^[^\r\n]?\x60[^\x60]?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion password.properties access"; flow:established,to_server; content:"GET"; http_method; nocase; content:"password.properties"; http_uri; nocase; reference:url,cxsecurity.com/issue/WLB-2013050065; classtype:web-application-attack; sid:2016836; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alina Checkin"; flow: established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"User-Agent\|3a\| Alina v"; http_header; content:"act="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; content:"&v="; http_client_body; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016837; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alina User-Agent(Alina)"; flow: established,to_server; content:"POST"; nocase; http_method; content:"User-Agent\|3a\| Alina v"; http_header; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; classtype:trojan-activity; sid:2016838; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit hex.zip Java Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:".zip"; http_uri; pcre:"/\/[a-f0-9]+\.zip$/U"; classtype:trojan-activity; sid:2016839; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern:only; content:"</applet>"; content:"<applet"; within:20; content:"archive"; distance:0; pcre:"/^[\r\n\s]?=[\r\n\s]?(?P<q>[\x22\x27])[a-f0-9]{9,16}\.(jar\|zip)(?P=q)/R"; classtype:trojan-activity; sid:2016840; rev:4;) + +# +alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion path disclosure to get the absolute path"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/administrator/analyzer/index.cfm"; http_uri; nocase; content:"\|2e 2e 2f\|"; http_raw_uri; reference:url,www.exploit-db.com/exploits/25305/; classtype:web-application-attack; sid:2016841; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion scheduletasks access"; flow:established,to_server; content:"/CFIDE/administrator/scheduler/scheduletasks.cfm"; http_uri; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016842; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ColdFusion scheduleedit access"; flow:established,to_server; content:"/CFIDE/administrator/scheduler/scheduleedit.cfm"; http_uri; nocase; reference:url,exploit-db.com/exploits/24946/; classtype:web-application-attack; sid:2016843; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Downloader.Win32.AutoIt.mj Checkin"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/downloads/IPFilter"; http_uri; nocase; content:".exe"; http_uri; nocase; pcre:"/\/downloads\/IPFilter\.exe$/Ui"; content:"User-Agent\|3a\| AutoIt"; depth:18; http_header; reference:url,threatexpert.com/report.aspx?md5=c4e923564c564163620959f23691cc26; reference:md5,4a77d3575845cf24b72400816d0b95c2; classtype:trojan-activity; sid:2016844; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HTTPing Usage Inbound"; flow:established,to_server; content:"User-Agent\|3a 20\|HTTPing"; http_header; reference:url,www.vanheusden.com/httping/; classtype:policy-violation; sid:2016845; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Troj.Cidox Checkin"; flow:established,to_server; content:".php?sign="; fast_pattern:only; http_uri; content:"&key="; http_uri; content:"&av="; http_uri; content:"&os="; http_uri; content:"&vm="; http_uri; content:"&digital="; http_uri; reference:md5,0ce7f9dde5c273d7e71c9f1301fe505d; classtype:trojan-activity; sid:2017349; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible Firefox Plugin install"; flow:to_server,established; content:".xpi"; http_uri; nocase; fast_pattern:only; pcre:"/\.xpi$/Ui"; content:" Firefox/"; http_header; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:2016846; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Possible Chrome Plugin install"; flow:to_server,established; content:"\|2f\|crx\|2f\|blobs"; http_uri; nocase; fast_pattern:only; content:" Chrome/"; http_header; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:2016847; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole Java Exploit Artifact"; flow:established,to_server; content:"/hw.class"; http_uri; content:" Java/1."; http_header; reference:url,vanheusden.com/httping/; classtype:policy-violation; sid:2016848; rev:9;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN Possible Linux/Cdorked.A CnC"; flow:established,to_server; content:"/favicon.iso?"; fast_pattern:only; http_uri; reference:url,code.google.com/p/malware-lu/wiki/en_malware_cdorked_A; reference:url,welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/; classtype:trojan-activity; sid:2016850; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Winwebsec/Zbot/Luder Checkin Response"; flow:established,from_server; file_data; content:"ingdx.htmA{ip}"; nocase; classtype:trojan-activity; sid:2016851; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/\|3b\|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Posting Plugin-Detect Data May 15 2013"; flow:established,to_server; content:"POST"; nocase; http_method; pcre:"/^\/[a-z][a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+[?&][a-z]+=\d+\r$/Hmi";content:"=%25"; http_client_body; pcre:"/=%25[0-9A-F]{2}%25[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016853; rev:15;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Embedded Android Dalvik Executable File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"dex\|0A\|"; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016854; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Embedded ZIP/APK File With Fake Windows Executable Header - Possible AV Bypass Attempt"; flow:established,to_client; file_data; content:"MZ"; within:2; content:"This program"; distance:0; content:"PK\|03\|"; distance:0; content:"classes."; distance:0; reference:url,research.zscaler.com/2013/03/guess-who-am-i-pe-or-apk.html; classtype:trojan-activity; sid:2016855; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Android Dalvik Executable File Download"; flow:established,to_client; file_data; content:"dex\|0A\|"; within:4; reference:url,source.android.com/tech/dalvik/dex-format.html; classtype:policy-violation; sid:2016856; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/Pushdo CnC Server Fake JPEG Response"; flow:established,to_client; file_data; content:"<!--[if IE]"; distance:0; content:"<img src=\|22\|data\|3A\|image/jpeg\|3B\|base64"; distance:0; reference:url,www.damballa.com/downloads/r_pubs/Damballa_mv20_case_study.pdf; classtype:trojan-activity; sid:2016857; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic - POST To .php w/Extended ASCII Characters"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer\|3a\|"; http_header; content:!"Content-Type\|3a\|"; http_header; content:" MSIE "; http_header; pcre:"/^.{0,3}[\x80-\xff]{1,3}[\x00-\x7f]{1,3}[\x80-\xff]{1,3}[\x80-\xff]{1,3}/P"; classtype:trojan-activity; sid:2016858; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Neurevt.A checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:!"Referer\|3a\|"; http_header; content:"ps0="; http_client_body; depth:4; fast_pattern; content:"&ps1="; http_client_body; pcre:"/^ps0=[A-F0-9]+\&ps1=[A-F0-9]+($\|\&[a-z]s\d=)/P"; reference:md5,c447d364a9dad369ff07dcc14f5fbefb; reference:md5,a0a66dfbdf1ce76782ba20a07a052976; classtype:trojan-activity; sid:2017371; rev:7;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page May 16 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"Seven guids Seven g"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016860; rev:16;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_MM - Java Exploit - cee.jar"; flow:established,to_server; content:"/cee.jar"; http_uri; content:" Java/"; http_header; classtype:trojan-activity; sid:2016859; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hangover Campaign Keylogger Checkin"; flow:established,to_server; content:".php?fol="; fast_pattern:only; http_uri; content:"&ac="; http_uri; content:"AVs"; http_uri; content:"OS"; http_uri; content:"SystemDT"; http_uri; content:"AppVersion"; http_uri; content:"DropPath"; http_uri; reference:md5,023d82950ebec016cd4016d7a11be58d; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016861; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hangover Campaign Keylogger 2 checkin"; flow:established,to_server; content:"/access.php"; fast_pattern:only; http_uri; content:"User-Agent\|3a\| sendfile"; http_header; reference:md5,0b38f87841ed347cc2a5ffa510a1c8f6; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016862; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.VB.cefz Checkin"; flow:established,to_server; content:"/hyper/fm.php?tp=in"; fast_pattern:only; http_uri; content:"&tg="; http_uri; reference:md5,0cace87b377a00df82839c659fc3adea; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016863; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Agent.bjjv Checkin"; flow:established,to_server; content:"/wakeup/access.php"; fast_pattern:only; http_uri; content:"User-Agent\|3a\| UPHTTP"; http_header; reference:md5,06ba10a49c8cea32a51f0bbe8f5073f1; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016864; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger.acqh User-Agent(EMSFRTCBVD)"; flow:established,to_server; content:"User-Agent\|3a\| EMSFRTCBVD"; http_header; fast_pattern:12,10; reference:md5,0e9e46d068fea834e12b2226cc8969fd; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016865; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Spy.Win32.KeyLogger.acuj Checkin"; flow:established,to_server; content:".php"; http_uri; content:"User-Agent\|3a\| MyHttpClient"; http_header; content:"tit="; fast_pattern; depth:4; http_client_body; content:"&cont="; http_client_body; reference:md5,078d12eb9fc2b1665c0cc3001448b69b; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016866; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; content:"POST"; http_method; content:!"Referer\|3a 20\|"; http_header; content:"Accept\|3a\| /\|0d 0a\|Accept-Language\|3a\| en-us\|0d 0a\|Content-Type\|3a\| application/octet-stream\|0d 0a\|Content-Length\|3a\| "; http_header; depth:93; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|Host\|3a\|"; http_header; fast_pattern:37,20; distance:0; content:"Connection\|3a\| Keep-Alive\|0d 0a\|Cache-Control\|3a\| no-cache\|0d 0a\|"; http_header; distance:0; threshold: type threshold,track by_src,count 1,seconds 60; classtype:trojan-activity; sid:2016867; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Plugin-Detect 2 May 20 2013"; flow:established,from_server; file_data; content:"encodeURIComponent(xor(JSON.stringify"; fast_pattern:8,20; content:"PluginDetect.getVersion"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016868; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; pcre:"/^\/[a-f0-9]{16}$/U"; content:!"Referer\|3a 20\|"; http_header; content:!"User-Agent\|3a 20\|"; http_header; content:"HTTP/1.0\|0d 0a\|"; content:"Content-Length\|3a 20\|0\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5."; flow:to_server,established; content:" MSIE 5."; fast_pattern:only; http_header; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s5\./Hmi"; content:!".microsoft.com\|0d 0a\|"; http_header; content:!".trendmicro.com\|0d 0a\|"; http_header; content:!".sony.net\|0d 0a\|"; http_header; content:!".weather.com\|0d 0a\|"; http_header; content:!".yahoo.com\|0d 0a\|"; http_header; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016870; rev:8;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 4."; flow:to_server,established; content:" MSIE 4."; http_header; fast_pattern:only; nocase; content:!".weatherbug.com\|0d 0a\|"; http_header; content:!".wxbug.com\|0d 0a\|"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s4\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016871; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 3."; flow:to_server,established; content:" MSIE 3."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s3\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016872; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2."; flow:to_server,established; content:" MSIE 2."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s2\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016873; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Internet Explorer Version MSIE 1."; flow:to_server,established; content:" MSIE 1."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s1\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016874; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake FireFox Version 0."; flow:to_server,established; content:" Firefox/0."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sFirefox\/0\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016875; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake FireFox Version 1."; flow:to_server,established; content:" Firefox/1."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sFirefox\/1\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016876; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake FireFox Version 2."; flow:to_server,established; content:" Firefox/2."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sFirefox\/2\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016877; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Windows NT Version 4."; flow:to_server,established; content:" Windows NT 4."; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sWindows NT 4\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016878; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Unsupported/Fake Windows NT Version 5.0"; flow:to_server,established; content:" Windows NT 5.0"; http_header; fast_pattern:only; nocase; pcre:"/^User-Agent\x3a[^\r\n]+?\sWindows NT 5\.0/Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:policy-violation; sid:2016879; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 0 User-Agent"; flow:established,to_server; content:"Windows NT 0"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+?\sWindows NT 0\./Hmi"; classtype:trojan-activity; sid:2016880; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(FMBVDFRESCT)"; flow:established,to_server; content:"User-Agent\|3a\| FMBVDFRESCT"; nocase; http_header; fast_pattern:12,10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016881; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DSMBVCTFRE)"; flow:established,to_server; content:"User-Agent\|3a\| DSMBVCTFRE"; nocase; http_header; fast_pattern:12,10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016882; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(MBESCVDFRT)"; flow:established,to_server; content:"User-Agent\|3a\| MBESCVDFRT"; nocase; http_header; fast_pattern:12,10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016883; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(TCBFRVDEMS)"; flow:established,to_server; content:"User-Agent\|3a\| TCBFRVDEMS"; nocase; http_header; fast_pattern:12,10; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016884; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMOMAKE)"; flow:established,to_server; content:"User-Agent\|3a\| DEMOMAKE"; nocase; http_header; fast_pattern:12,8; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016885; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(DEMO)"; flow:established,to_server; content:"User-Agent\|3a\| DEMO\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016886; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(UPHTTP)"; flow:established,to_server; content:"User-Agent\|3a\| UPHTTP\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016887; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(sendFile)"; flow:established,to_server; content:"User-Agent\|3a\| sendFile\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016888; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(wininetget/0.1)"; flow:established,to_server; content:"User-Agent\|3a\| wininetget/"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016889; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED TrojanSpy.KeyLogger Hangover Campaign User-Agent(file)"; flow:established,to_server; content:"User-Agent\|3a\| file\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016890; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(vbusers)"; flow:established,to_server; content:"User-Agent\|3a\| vbusers\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016891; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(folderwin)"; flow:established,to_server; content:"User-Agent\|3a\| folderwin\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016892; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(smaal)"; flow:established,to_server; content:"User-Agent\|3a\| smaal\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016893; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(nento)"; flow:established,to_server; content:"User-Agent\|3a\| nento\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016894; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanSpy.KeyLogger Hangover Campaign User-Agent(bugmaal)"; flow:established,to_server; content:"User-Agent\|3a\| bugmaal\|0d 0a\|"; nocase; http_header; reference:url,blogs.rsa.com/dont-fear-the-hangover-network-detection-of-hangover-malware-samples; reference:url,enterprise.norman.com/resources/files/unveiling_an_indian_cyberattack_infrastructure_appendixes.pdf; classtype:trojan-activity; sid:2016895; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5"; flow:established,to_server; content:" MSIE 9.0\|3b\| Windows NT 5."; fast_pattern:3,20; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s9\.0\x3b\sWindows\sNT\s5\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; reference:url,windows.microsoft.com/en-us/internet-explorer/products/ie-9/system-requirements; classtype:trojan-activity; sid:2016897; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious MSIE 10 on Windows NT 5"; flow:established,to_server; content:" MSIE 10.0\|3b\| Windows NT 5."; fast_pattern:4,20; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s10\.0\x3b\sWindows\sNT\s5\./Hmi"; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016898; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Registering Client"; flow:established,to_server; content:"/gate.php?reg="; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?reg=([a-z]{10}\|[A-Za-z]{15})$/U"; content:!"Referer\|3a 20\|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016899; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.BlackRev Polling for DoS targets"; flow:established,to_server; content:"/gate.php?cmd=urls"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=urls$/U"; content:!"Referer\|3a 20\|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016900; rev:4;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getexe"; http_uri; fast_pattern:only; pcre:"/\/gate\.php\?cmd=getexe$/U"; content:!"Referer\|3a 20\|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016901; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Download Executable"; flow:established,to_server; content:"/gate.php?cmd=getinstallconfig"; http_uri; fast_pattern:10,20; pcre:"/\/gate\.php\?cmd=getinstallconfig$/U"; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016902; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (DownloadMR)"; flow:to_server,established; content:"User-Agent\|3a\| DownloadMR"; nocase; http_header; reference:url,www.virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5, 0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016903; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS User-Agent (ChilkatUpload)"; flow:to_server,established; content:"User-Agent\|3a\| ChilkatUpload"; http_header; nocase; reference:url,chilkatsoft.com; classtype:trojan-activity; sid:2016904; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.MSIL.Solimba.b GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/dmr/access/"; http_uri; content:"User-Agent\|3a\| DownloadMR"; nocase; http_header; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5, 0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016905; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.MSIL.Solimba.b POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/dmr/exception"; http_uri; content:"User-Agent\|3a\| DownloadMR"; nocase; http_header; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5, 0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016906; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Registration Rev3"; flow:established,to_server; content:"/gate.php?id="; http_uri; pcre:"/\/gate\.php\?id=[a-z]{15}$/U"; content:"(compatible\|3b\| Synapse)"; http_header; content:!"Referer\|3a 20\|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016909; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Get Command Rev3"; flow:established,to_server; content:"/get"; http_uri; pcre:"/\/get$/U"; content:"(compatible\|3b\| Synapse)"; http_header; content:!"Referer\|3a 20\|"; http_header; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi/; classtype:trojan-activity; sid:2016910; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Briba CnC POST Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index"; http_uri; depth:6; content:".asp"; http_uri; distance:9; within:4; content:" MSIE "; http_header; content:"Host\|3A\| update.microsoft.com"; http_header; content:"Content-Length\|3a\| 00"; http_header; fast_pattern:only; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; classtype:trojan-activity; sid:2016911; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Antavmu.guw Checkin"; flow:to_server,established; content:"/smadstat.php?mac="; fast_pattern:only; http_uri; content:"&key="; http_uri; content:"&name="; http_uri; content:"&os="; http_uri; content:"&build="; http_uri; content:"&old="; http_uri; content:"&comp="; http_uri; content:"User-Agent\|3a\| Smart-RTP\|0d 0a\|"; http_header; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; reference:url,www.securelist.com/en/descriptions/16150989/Trojan.Win32.Antavmu.guw?print_mode=1; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; classtype:trojan-activity; sid:2016914; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Smart-RTP"; flow: established,to_server; content:"User-Agent\|3A\| Smart-RTP"; nocase; http_header; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5, 2b63ed542eb0e1a4547a2b6e91391dc0; classtype:trojan-activity; sid:2016915; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA"; flow: established,to_server; content:"User-Agent\|3A\| Custom_56562_HttpClient/VER_STR_COMMA"; nocase; http_header; classtype:trojan-activity; sid:2016916; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware pricepeep Adware.Shopper.297"; flow: established,to_server; content:"GET"; nocase; http_method; content:"/logger/software/hit/"; nocase; http_uri; content:"/?v."; nocase; http_uri; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:trojan-activity; sid:2016917; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible NGINX Overflow CVE-2013-2028 Exploit Specific"; flow:established,to_server; content:"chunked"; http_header; nocase; fast_pattern:only; pcre:"/Transfer-Encoding\x3a[^\r\n]?chunked/Hi"; pcre:"/^[\r\n\s]?[^\r\n]+HTTP\/1\.\d[^\r\n]?\r?\n((?!(\r?\n\r?\n)).)?Transfer-Encoding\x3a[^\r\n]?Chunked((?!(\r?\n\r?\n)).)?\r?\n\r?\n[\r\n\s]?(f{6}[8-9a-f][0-9a-f]\|[a-f0-9]{9})/si"; reference:url,www.vnsecurity.net/2013/05/analysis-of-nginx-cve-2013-2028/; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/nginx_chunked_size.rb; classtype:attempted-admin; sid:2016918; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:7;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Apache Struts Possible xwork Disable Method Execution"; flow:established,to_server; content:"xwork"; http_uri; nocase; content:"MethodAccessor"; http_uri; nocase; content:"denyMethodExecution"; http_uri; nocase; fast_pattern:only; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-admin; sid:2016920; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Mozilla UA with no Space after colon"; flow:established,to_server; content:"User-Agent\|3a\|Mozilla"; http_header; nocase; fast_pattern:only; threshold: type limit,track by_src,count 2,seconds 60; classtype:trojan-activity; sid:2016921; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016923; rev:11;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016924; rev:10;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack\|dEx[xp])\|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern:only; content:"<APPLET"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016926; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:10;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern:only; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]?=[\r\n\s\+]?(?P<func>[_a-zA-Z][a-zA-Z0-9_-]+)$[\r\n\s]?[\x22\x27](?!http\x3a\/\/)(?P<h>[^\x22\x27])(?P<t>(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P<slash>(?!((?P=h)\|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]?[\x22\x27][\r\n\s]?,[\r\n\s]?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]?$\+(?P=func)/Rsi"; classtype:trojan-activity; sid:2016928; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern:only; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:trojan-activity; sid:2016929; rev:10;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Java Artifact May 24 2013"; flow:to_server,established; content:"/PoC.class"; http_uri; nocase; content:" Java/1"; http_header; classtype:trojan-activity; sid:2016930; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole EK JNLP request"; flow:established,to_server; content:".php?jnlp="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?jnlp=[a-f0-9]{10}(,\|$)/Ui"; content:" Java/1."; http_header; classtype:trojan-activity; sid:2016931; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Spy/Infostealer.Win32.Embed.A Client Traffic"; flow:established,to_server; content:"search?hl="; http_uri; content:"&q="; distance:4; http_uri; content:"&meta="; distance:0; fast_pattern; http_uri; content:"&id="; distance:0; http_uri; reference:url,contagiodump.blogspot.no/2011/01/jan-6-cve-2010-3333-with-info-theft.html; classtype:trojan-activity; sid:2016932; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request to Afraid.org Top 100 Dynamic DNS Domain May 28 2013"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\x3a\x20[^\r\n]+\.(?:s(?:tr(?:eetdirectory\.co\.id\|angled\.net)\|h(?:(?:ell\|it)\.la\|op\.tm)\|pacetechnology\.net\|(?:at-dv\|vlen)\.ru\|exypenguins\.com)\|t(?:h(?:emafia\.info\|cgirls\.com)\|wilightparadox\.com\|ime4film\.ru\|ruecsi\.org\|28\.net\|ang\.la)\|h(?:a(?:ck(?:-inter\.net\|ed\.jp)\|ppyforever\.com)\|ome(?:net\.or\|\.k)g\|-o-s-t\.name\|4ck\.la)\|a(?:(?:mursk-rayon\|gropeople)\.ru\|n(?:tongorbunov\|ydns)\.com\|llowed\.org\|rmed\.us\|x\.lt)\|c(?:(?:hickenkiller\|rabdance)\.com\|o(?:ntinent\.kz\|alnet\.ru)\|sproject\.org\|n\.mu)\|m(?:a(?:dhacker\.biz\|idlab\.jp)\|ooo\.(?:info\|com)\|3th\.org\|ine\.bz)\|b(?:i(?:gbox\.info\|z\.tm)\|yte4byte\.com\|ot\.nu\|rb\.dj\|d\.to)\|l(?:inux(?:(?:secured\|maniac)\.net\|d\.org)\|(?:amer\|eet)\.la)\|i(?:(?:gnorelist\.co\|nfo\.t)m\|z(?:vor\.ru\|\.rs)\|iiii\.info)\|p(?:(?:rivatedns\|sybnc\|ort0\|wnz)\.org\|irat3\.com\|unked\.us)\|r(?:o(?:cketcat\.info\|\.lt)\|-o-o-t\.net\|00t\.la)\|k(?:(?:ir22\.r\|\.v)u\|urstenge\.kz\|eren\.la)\|d(?:earabba\.org\|-n-s\.name\|alnet\.ca)\|n(?:a(?:ken\.net\|\.tl)\|ow\.im\|x\.tc)\|v(?:(?:erymad\.ne\|r\.l)t\|ietnam\.ro)\|j(?:umpingcrab\.com\|avafaq\.nu)\|u(?:n(?:do\.it\|i\.cx)\|[ks]\.to)\|f(?:(?:art\|ram)ed\.net\|tp\.sh)\|(?:whynotad\|3dxtras)\.com\|(?:zvezdaringa\.r\|69\.m)u\|e(?:vils\.in\|z\.lv)\|(?:55\|gw)\.lt\|qc\.to)(\x3a\d{1,5})?\r$/Hmi"; classtype:bad-unknown; sid:2016933; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Safe User Agent Fantasia"; flow:established,to_server; content:"User-Agent\|3A\| Fantasia\|0D 0A\|"; http_header; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf; classtype:trojan-activity; sid:2016934; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Select Sleep Time Delay"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"SLEEP"; http_uri; nocase; distance:0; pcre:"/\bSELECT.?\bSLEEP/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016935; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection Local File Access Attempt Using LOAD_FILE"; flow:established,to_server; content:"LOAD_FILE("; http_uri; nocase; fast_pattern:only; reference:url,dev.mysql.com/doc/refman/5.1/en/string-functions.html#function_load-file; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016936; rev:1;) + +# +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection List Priveleges Attempt"; flow:established,to_server; content:"SELECT"; http_uri; nocase; content:"PRIV"; http_uri; nocase; distance:0; pcre:"/\bSELECT.?\bPRIV/Ui"; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2016937; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Ezula Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/UVid.asp?"; fast_pattern:only; http_uri; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:trojan-activity; sid:2016938; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Variant.Kazy.174106 Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; pcre:"/^[^\r\n]+?\.php\?T=/R"; content:"User-Agent\|3a\| Tesla"; fast_pattern:only; reference:md5,ff7a263e89ff01415294470e1e52c010; classtype:trojan-activity; sid:2016939; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vobfus Check-in"; flow:established,to_server; content:".php?page="; http_uri; content:"&style=LED_g&nbdigits="; http_uri; distance:0; fast_pattern; content:"User-Agent\|3a 20\|Opera"; http_header; nocase; classtype:trojan-activity; sid:2016940; rev:1;) + +# +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; content:"<div id"; nocase; pcre:"/^[\r\n\s\+]?=[\r\n\s\+]?[\x22\x27][^\x22\x27]+?[\x22\x27][^>]?>((?P<hex>%[A-Fa-f0-9]{2})\|(?P<ascii>[a-zA-Z0-9]))((?P=hex){9,20}\|(?P=ascii){9,20})%3C/R"; content:"{version\|3a 22\|0.8.0\|22\|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [81:90,9090] (msg:"ET CURRENT_EVENTS Sakura - Payload Requested"; flow:established,to_server; content:" Java/1."; content:".pkg HTTP/1."; nocase; pcre:"/^[^\r\n]+?\/\d+\.pkg HTTP\/1\./i"; classtype:trojan-activity; sid:2016943; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP connection to net78.net Free Web Hosting (Used by Various Trojans)"; flow:established,to_server; content:".net78.net\|0d 0a\|"; http_header; fast_pattern:only; nocase; reference:url,www.net78.net; classtype:bad-unknown; sid:2016944; rev:1;) + +# +alert tcp $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura encrypted binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"\|58 23 3a d4\|"; within:4; classtype:trojan-activity; sid:2016945; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET TROJAN Possible Win32.Bicololo Checkin"; flow:established,to_server; content:"GET "; depth:4; pcre:"/^\/stat\/[a-z]{3,4}\/\d{1,4}\sHTTP\/1\./R"; content:"/stat/"; nocase; fast_pattern:only; flowbits:set,ET.Bicololo.Request; reference:md5,252c95327ce556a21bdd7e9a322e206c; reference:url,www.virusradar.com/Win32_Bicololo.A/description; classtype:trojan-activity; sid:2016946; rev:2;) + +# +alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET TROJAN Win32.Bicololo Response 1"; flow:established,to_client; content:"Set-Cookie\|3a\| ci_session="; content:"\|0d 0a 0d 0a\|7\|0d 0a\|ne_unik\|0d 0a\|0"; fast_pattern; distance:0; pcre:"/^(\r\n)+?$/R"; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016947; rev:1;) + +# +alert tcp $EXTERNAL_NET !80 -> $HOME_NET any (msg:"ET TROJAN Win32.Bicololo Response 2"; flow:established,to_client; flowbits:isset,ET.Bicololo.Request; content:"\|0d 0a\|Set-Cookie\|3a\| ci_session="; content:"\|0d 0a 0d 0a\|2\|0d 0a\|ok\|0d 0a\|0"; fast_pattern; distance:0; pcre:"/^(\r\n)+?$/R"; reference:md5,691bd07048b09c73f0a979529a66f6e3; classtype:trojan-activity; sid:2016948; rev:1;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Backdoor.Linux.Tsunami Outbound HTTP request"; flow:established,to_server; content:"User-Agent\|3a 20\|Mozilla/4.75 [en] (X11\|3b\| U\|3b\| Linux 2.2.16-3 i686)\|0d 0a\|"; http_header; fast_pattern:12,20; content:"\|3a\|80\|0d 0a\|"; http_header; reference:url,malwaremustdie.blogspot.jp/2013/05/story-of-unix-trojan-tsunami-ircbot-w.html; classtype:trojan-activity; sid:2016949; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; content:"/ip.txt"; http_uri; nocase; fast_pattern:only; pcre:"/ip\.txt$/Ui"; pcre:"/^User-Agent\x3a(?!\x20Mozilla\/)[^\r\n]+\r?$/Hm"; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Probable Nuclear exploit kit landing page"; flow:established,to_server; content:".html HTTP/"; fast_pattern; offset:37; depth:11; content:"GET /"; depth:5; pcre:"/^[0-9a-f]{32}\.html HTTP\/1\./R"; content:"Referer\|3a\|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016952; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_uri; nocase; classtype:attempted-user; sid:2016953; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; content:"memberAccess"; http_client_body; nocase; content:"allowStaticMethodAccess"; http_client_body; nocase; classtype:attempted-user; sid:2016954; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; content:"memberAccess"; http_uri; nocase; content:"allowStaticMethodAccess"; http_uri; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; content:"java.lang.Runtime@getRuntime().exec("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; content:"java.io.FileOutputStream"; http_client_body; nocase; content:".write"; distance:0; nocase; http_client_body; content:"sun.misc.BASE64Decoder"; nocase; http_client_body; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; content:"java.io.FileOutputStream"; http_uri; nocase; content:".write"; distance:0; nocase; http_uri; content:"sun.misc.BASE64Decoder"; nocase; http_uri; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (AuthenticAMD)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"AuthenticAMD\|3b\|"; http_header; fast_pattern:only; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+AuthenticAMD\x3b/H"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016960; rev:8;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (GenuineIntel)"; flow:to_server,established; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"GenuineIntel\|3b\|"; http_header; fast_pattern:only; pcre:"/\(b\x3a\d+?\x3bc\x3a[^\x3b]+GenuineIntel\x3b/H"; reference:md5,16d529fc48250571a9e667fb264c8497; classtype:trojan-activity; sid:2016961; rev:9;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 2"; flow:to_server,established; pcre:"/^\d+?.\x00\x00\x00/"; byte_extract:4,-4,d_size,relative,little; byte_test:4,>,d_size,0,relative,little; content:"\|78 9c\|"; distance:4; within:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2016962; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern:only; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:trojan-activity; sid:2016964; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Metasploit Based Unknown EK Jar Download June 03 2013"; flow:established,to_server; content:"/j_"; http_uri; pcre:"/\/j_[a-z0-9]+_(?:0422\|1723\|3544\|5076)\.jar$/U"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016965; rev:5;) + +# +alert tcp $EXTERNAL_NET [81:90,443] -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; content:"a5chZev!"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Symmi Remote File Injector Initial CnC Beacon"; flow:established,to_server; content:"/ggu.php"; fast_pattern:only; http_uri; content:"User-Agent\|3A\| Mozilla/5.0\|0D 0A\|"; http_header; reference:url,www.deependresearch.org/2013/05/under-this-rock-vulnerable.html; classtype:trojan-activity; sid:2016967; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Travnet.A Internet Connection Check (microsoft.com)"; flow:to_server,established; content:"GET"; http_method; content:"/info/privacy_security.htm"; http_uri; content:!"Referer\|3a 20\|"; http_header; content:"microsoft.com\|0d 0a\|"; http_header; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,cb9cc50b18a7c91cf4a34c624b90db5d; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy%3AWin32%2FTravnet.A; reference:url,blogs.mcafee.com/mcafee-labs/travnet-botnet-steals-huge-amount-of-sensitive-data; classtype:trojan-activity; sid:2016969; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"\|f2 fd 90 00 bc a7 00 00\|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016970; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 32-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016971; rev:4;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 32-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{32}\/a\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016972; rev:5;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 16-hex/a.php Landing Page/Java exploit URI"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016973; rev:6;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 16-hex/a.php Jar Download"; flow:established,to_server; content:"/a.php"; http_uri; pcre:"/\/[0-9a-f]{16}\/a\.php/U"; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016974; rev:6;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format"; flow:established,to_server; content:"GET"; http_method; content:"/a"; depth:2; http_uri; pcre:"/^\/a[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?q[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2016975; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Payload Download (9)"; flow:established,to_server; content:".txt?f="; fast_pattern:only; content:!"Referer\|3a\| "; http_header; pcre:"/\.txt\?f=\d+$/U"; classtype:trojan-activity; sid:2016976; rev:8;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER allow_url_include PHP config option in uri"; flow:established,to_server; content:"allow_url_include"; http_uri; fast_pattern:only; pcre:"/\ballow_url_include\s?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016977; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER safe_mode PHP config option in uri"; flow:established,to_server; content:"safe_mode"; http_uri; fast_pattern:only; pcre:"/\bsafe_mode\s?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016978; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER suhosin.simulation PHP config option in uri"; flow:established,to_server; content:"suhosin.simulation"; http_uri; fast_pattern:only; pcre:"/\bsuhosin\.simulation\s?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016979; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER disable_functions PHP config option in uri"; flow:established,to_server; content:"disable_functions"; http_uri; fast_pattern:only; pcre:"/\bdisable_functions[\s\+]?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016980; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER open_basedir PHP config option in uri"; flow:established,to_server; content:"open_basedir"; http_uri; fast_pattern:only; pcre:"/\bopen_basedir\s?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016981; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER auto_prepend_file PHP config option in uri"; flow:established,to_server; content:"auto_prepend_file"; http_uri; fast_pattern:only; pcre:"/\bauto_prepend_file\s?=/U"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016982; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Access to /phppath/php Possible Plesk 0-day Exploit June 05 2013"; flow:established,to_server; content:"/phppath/php"; http_uri; pcre:"/\/phppath\/php\b/Ui"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016983; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole EK Initial Gate from Linked-In Mailing Campaign"; flow:established,to_server; content:"/linkendorse.html"; http_uri; classtype:trojan-activity; sid:2016984; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Executable Served From /tmp/ Directory - Malware Hosting Behaviour"; flow:established,to_server; content:"/tmp/"; http_uri; depth:5; content:".exe"; http_uri; distance:0; pcre:"/^\x2Ftmp\x2F.+\x2Eexe$/U"; classtype:bad-unknown; sid:2016985; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor Login"; flow:to_server,established; content:"\|c4 4c 87 3f 11 1e c4 1a\|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016986; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor SysInfo Response header"; flow:to_server,established; content:"\|ac 09 7b 09 4b 2a 92 bd ac 00\|"; depth:10; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016987; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor File Manager Response Header"; flow:to_server,established; content:"\|ac 92 4b 04 ff 37 b3 2a b3 25 ff 76 ac 00\|"; depth:14; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016988; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor File Download Response Header"; flow:to_server,established; content:"\|ac 92 4b 04 ff 0c bd 55 2a 04 bd b3 6c ac 00\|"; depth:15; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016989; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN KeyBoy Backdoor File Upload Response Header"; flow:to_server,established; content:"\|ac 92 4b 04 ff cf 50 04 bd b3 6c ac 00\|"; depth:13; reference:url,community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-tar geted-attacks-against-vietnam-and-india; classtype:trojan-activity; sid:2016990; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Alina Server Response Code"; flow: established,from_server; content:" 666 OK\|0d 0a\|"; fast_pattern:only; content:"666"; http_stat_code; nocase; reference:url,blog.spiderlabs.com/2013/05/alina-shedding-some-light-on-this-malware-family.html; reference:md5,7d6ec042a38d108899c8985ed7417e4a; classtype:trojan-activity; sid:2016991; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - .tar.gz in POST body"; flow:established,to_server; content:".tar.gz"; nocase; http_client_body; classtype:bad-unknown; sid:2016992; rev:1;) + +# +#alert ip $HOME_NET any -> [195.22.26.231,195.22.26.232] any (msg:"ET TROJAN Connection to AnubisNetworks Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016993; rev:3;) + +# +#alert ip $HOME_NET any -> [50.57.148.87,166.78.144.80] any (msg:"ET TROJAN Connection to Georgia Tech Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016994; rev:2;) + +# +#alert ip $HOME_NET any -> 212.227.20.19 any (msg:"ET TROJAN Connection to 1&1 Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016995; rev:3;) + +# +#alert ip $HOME_NET any -> 176.31.62.76 any (msg:"ET TROJAN Connection to Zinkhole Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016996; rev:2;) + +# +#alert ip $HOME_NET any -> 91.233.244.106 any (msg:"ET TROJAN Connection to Dr Web Sinkhole IP(Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016997; rev:2;) + +# +#alert ip $HOME_NET any -> 193.166.255.171 any (msg:"ET TROJAN Connection to Fitsec Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016998; rev:2;) + +# +#alert ip $HOME_NET any -> [131.253.18.0/24,199.2.137.0/24,207.46.90.0/24] any (msg:"ET TROJAN Connection to Microsoft Sinkhole IP (Possbile Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2016999; rev:3;) + +# +#alert ip $HOME_NET any -> 1.1.1.0/24 any (msg:"ET TROJAN Connection to unallocated address space 1.1.1.0/24"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017000; rev:3;) + +# +#alert ip $HOME_NET any -> 148.81.111.111 any (msg:"ET TROJAN Connection to a cert.pl Sinkhole IP (Possible Infected Host)"; threshold:type limit,track by_src,seconds 3600,count 1; classtype:trojan-activity; sid:2017001; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length"; flow:established,to_client; file_data; content:"\|89 50 4E 47 0D 0A 1A 0A\|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; byte_test:4,>,2147483647,-8,relative; reference:cve,2013-1331; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017005; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,to_client; file_data; content:"ScriptBridge.ScriptBridge"; content:"\|00\|h\|00\|t\|00\|t\|00\|p\|00 3a 00 2f 00 2f 00\|"; content:"\|2f 00\|v\|00\|w\|00\|.\|00\|p\|00\|h\|00\|p\|00\|?\|00\|i\|00\|="; distance:0; fast_pattern; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017006; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit plugin-detect script access"; flow:established,from_client; content:"/vw.php?i="; http_uri; fast_pattern:only; pcre:"/\/vw\.php\?i=[a-fA-F0-9]+?\-[a-fA-F0-9]+?$/U"; reference:url,blogs.technet.com/b/srd/archive/2013/06/11/ms13-051-get-out-of-my-office.aspx; classtype:attempted-user; sid:2017007; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT CVE-2013-1331 Microsoft Office PNG Exploit Specific"; flow:established,to_client; file_data; content:"\|89 50 4E 47 0D 0A 1A 0A\|"; content:"IHDR"; distance:0; content:"tEXt"; distance:13; content:"db.php?j="; distance:0; content:"msnmusax.ninn"; fast_pattern:only; classtype:attempted-user; sid:2017008; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer\|3a 20\|"; http_header; classtype:trojan-activity; sid:2017002; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Tobfy.S"; flow:established,from_client; content:"/upload/img.jpg"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]{3,}\/upload\/img\.jpg$/U"; content:!"Referer\|3a\|"; http_header; reference:md5,ac03c5980e2019992b876798df2df9ab; classtype:trojan-activity; sid:2017004; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KimJongRAT cnc exe pull"; flow:established,to_server; content:"POST"; nocase; http_method; content:"subject="; nocase; http_client_body; depth:8; content:"&data="; nocase; http_client_body; pcre:"/^subject=(?:[A-Za-z0-9+/]{4})(?:[A-Za-z0-9+/]{2}==\|[A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{4})_(?:(?:list\|que)_done\|ini(?:_done)?)&data/P"; reference:url,malware.lu/Pro/RAP003_KimJongRAT-Stealer_Analysis.1.0.pdf; classtype:trojan-activity; sid:2017009; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQLi xp_cmdshell POST body"; flow:established,to_server; content:"xp_cmdshell"; nocase; http_client_body; fast_pattern:only; classtype:bad-unknown; sid:2017010; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Glazunov EK Downloading Jar"; flow:established,to_server; content:" Java/1."; http_header; content:".zip"; http_uri; pcre:"/\/\d+\/\d\.zip$/U"; classtype:trojan-activity; sid:2017011; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested Over WeBDAV"; flow:established,to_server; content:"/jvm.dll"; http_uri; fast_pattern:only; pcre:"/\/jvm\.dll$/U"; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern:only; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern:only; classtype:trojan-activity; sid:2017014; rev:1;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,from_server; content:"\|55 04 03\|"; content:"\|18\|.dropboxusercontent.com"; nocase; distance:1; within:25; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 1 June 12 2013"; flow:established,to_server; content:"/6u27.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017016; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 2 June 12 2013"; flow:established,to_server; content:"/6u41.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017017; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Jar 3 June 12 2013"; flow:established,to_server; content:"/7u17.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017018; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_header; content:"/.cache/?f\|3d\|"; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017019; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&\|$)/U"; content:"Java/1"; http_header; classtype:trojan-activity; sid:2017020; rev:10;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TripleNine RAT Checkin"; flow:established,to_server; content:"/999"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/999$/U"; content:!"Referer\|3a 20\|"; http_header; content:".0\|0d 0a\|Host"; http_header; classtype:trojan-activity; sid:2017021; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 1"; flow:established,to_server; content:".php?"; http_uri; content:"3a313"; http_uri; fast_pattern:only; pcre:"/=(3[0-9a]\|2e)+3a313[3-9](3[0-9]){8}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017022; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 2"; flow:established,to_server; content:".php?hash=I3QxW"; http_uri; fast_pattern:only; pcre:"/\.php\?hash=I3QxW[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017023; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte\|db)\|o(?:utput\|ther)\|r(?:hino\|otat)\|msie\d\|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:2;) + +# +alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for \|5C 5C\|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Webserver Backdoor"; flow:established,to_server; content:"User-Agent\|3a 20\|SEX/1"; nocase; http_header; fast_pattern:only; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017026; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Webserver Backdoor Domain (google-analytcs)"; flow:established,to_server; content:"google-analytcs.com\|0d 0a\|"; nocase; http_header; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:2017027; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - In Referrer"; flow:established,to_server; content:"/iniframe/"; http_header; content:"/"; distance:32; within:1; http_header; content:"/"; distance:1; within:5; http_header; content:"/"; distance:32; within:1; http_header; classtype:trojan-activity; sid:2017031; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect June 18 2013"; flow:established,to_client; file_data; content:",53,154,170,170,164,76,63,63,"; classtype:trojan-activity; sid:2017035; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Activity related to APT.Seinup Checkin 1"; flow:established,to_server; urilen:>87; content:"GET"; nocase; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"Referer\|3a\|"; http_header; content:!"Accept\|3a\|"; http_header; content:"User-Agent\|3a\|"; depth:11; http_header; content:" MSIE 6.0\|3b\|"; http_header; distance:0; content:".NET CLR 1.1.4322"; distance:0; http_header; pcre:"/\.php\?[a-zA-Z0-9]+?=[a-zA-Z0-9]+?&[a-zA-Z0-9]+?=(?:[A-Za-z0-9\+\/]{4})(?:[A-Za-z0-9\+\/]{2}==\|[A-Za-z0-9\+\/]{3}=\|[A-Za-z0-9\+\/]{4})(&[a-zA-Z0-9]+?=[a-f0-9]{32}){2}$/U"; reference:url,fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:trojan-activity; sid:2017036; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?//"; http_header; fast_pattern:only; pcre:"/^Referer\x3a\x20[^\r\n]+\/((index\|toc)\.html?)?\?\/\//Hmi"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Jar Download June 20 2013"; flow:established,to_server; content:"/contacts.asp"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017038; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS X20 EK Payload Download"; flow:established,to_server; content:"/download.asp?p=1"; http_uri; content:" Java/1."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2017039; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]\|5\.0\.[0-2]\|6.0\.[0-4])\d?\|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.7.x"; flow:established,to_server; content:"/frozen.jar"; http_uri; fast_pattern:only; content:" Java/1.7"; http_header; classtype:trojan-activity; sid:2017041; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (Old)"; flow:established,to_server; content:"/arina.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017042; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/sigwer.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017043; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Jar 1.6 (New)"; flow:established,to_server; content:"/dubstep.jar"; http_uri; fast_pattern:only; content:" Java/1.6"; http_header; classtype:trojan-activity; sid:2017044; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Drive DDoS Check-in"; flow:established,to_server; content:"k="; fast_pattern; http_client_body; depth:2; content:"POST"; http_method; content:!"Referer\|3a\|"; http_header; content:"Content-Length\|3a 20\|17\|0d 0a\|"; http_header; content:"Host\|3a\|"; depth:5; http_header; pcre:"/-urlencoded\r\n(\r\n)?$/H"; pcre:"/^k=[a-z0-9]{15}$/P"; pcre:"/^k=[0-9]?[a-z]/P"; flowbits:set,ET.Drive.DDoS.Checkin; classtype:trojan-activity; sid:2017045; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving GET DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-get http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017046; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving POST1 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post1 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017047; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving POST2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-post2 http"; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017048; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving IP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017049; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving IP2 DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-ip2 "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017050; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive Receiving UDP DDoS instructions"; flow:established,to_client; flowbits:isset,ET.Drive.DDoS.Checkin; file_data; content:"-udp "; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:trojan-activity; sid:2017051; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Poison Ivy [victim beacon]"; flow:established; dsize:48; content:"\|a160339a8a1b3bc0d1ab956cf98855a8\|"; offset: 16; depth:16; classtype:trojan-activity; sid:2017052; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Poison Ivy [server response]"; flow:established; dsize:48; content:"\|b8abf415033717b74132d503b6ea381d\|"; offset:16; depth:16; classtype:trojan-activity; sid:2017053; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - ELF File Uploaded"; flow:established,to_server; content:"\|7F\|ELF"; http_client_body; classtype:bad-unknown; sid:2017054; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"\|20 3a 03\|10OK\|3a 03 20\|"; within:30; classtype:trojan-activity; sid:2017055; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" \|3a\|[AryaN]\|3a\| "; within:30; content: "download"; nocase; classtype:trojan-activity; sid:2017056; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File\|3a\|"; classtype:trojan-activity; sid:2017057; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood\|3a\| Started [Type\|3a\|"; classtype:trojan-activity; sid:2017058; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill\|3a\| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1;) + +# +alert tcp $HOME_NET any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"POST "; depth:5; content:"/centralbackup.php?"; fast_pattern:only; content:"_v="; content:"deleteid="; classtype:trojan-activity; sid:2017060; rev:2;) + +# +alert tcp $HOME_NET any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"POST "; depth:5; content:"solusvmc-node"; fast_pattern:only; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:3;) + +# +alert tcp $HOME_NET any -> $HTTP_SERVERS [5353,5656,80] (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST "; depth:5; content:"/rootpassword.php?"; fast_pattern:only; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool/BHEK Applet with Alpha-Numeric Encoded HTML entity"; flow:established,from_server; file_data; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?&#(?:0?(?:1(?:[0-1]\d\|2[0-2])\|[78][0-9]\|9[07-9]\|4[8-9]\|5[0-7]\|6[5-9])\|x0?(?:[46][1-9A-F]\|[57][0-9A]\|3[0-9]))(\x3b\|&#)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017064; rev:16;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Pony Loader default URI struct"; flow:to_server,established; content:"GET"; http_method; content:"/pony"; http_uri; fast_pattern:only; content:"/gate.php"; http_uri; nocase; classtype:trojan-activity; sid:2017065; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; content:"/?wps="; http_uri; fast_pattern:only; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017068; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern:only; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017069; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit XOR decodeURIComponent"; flow:established,to_client; file_data; content:"xor(decodeURIComponent("; distance:0; classtype:trojan-activity; sid:2017071; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$\|3a\|(![]+\|22 22\|)"; fast_pattern:only; content:"<\|22\|+"; pcre:"/^(?P<var>.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+$\!\[\]\+\x22\x22$\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:trojan-activity; sid:2017070; rev:1;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Jun 26 2013"; flow:established,from_server; file_data; content:"mCharCode"; pcre:"/(?P<p>[0-7]{3})(?P<d>[0-7]{3})(?P=p)(?P=d)([0-7]{3}){10}(?P<q>[0-7]{3})[0-7]{3}(?P<dot>[0-7]{3})[0-7]{3}(?P=dot)[0-7]{3}(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017072; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:"<textarea id\|3d 22\|"; content:"\|22\|>"; pcre:"/^(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{2}(?P<J>[0-9a-z]{2})[0-9a-z]{4}(?P=v)[0-9a-z]{6}(?P=space)[0-9a-z]{2}(?P=space)[0-9a-z]{64}(?P=J)(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017073; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MoinMoin twikidraw Action Traversal File Upload"; flow:to_server,established; content:"POST"; http_method; content:"?action=twikidraw"; http_uri; content:"&target="; http_uri; content:"\|2e 2e 2f\|moin.wsgi"; reference:bugtraq,57082; reference:cve,2012-6081; reference:url,packetstormsecurity.com/files/122079/moinmoin_twikidraw.rb.txt; reference:url,exploit-db.com/exploits/25304/; classtype:web-application-attack; sid:2017074; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet structure June 27 2013"; flow:established,from_server; file_data; content:"<applet"; content:"<param value=\|22\|1\|22\| name=\|22\|WindowSize\|22\|>"; fast_pattern:15,20; distance:0; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]?[a-f0-9]/R"; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]?[a-f0-9]/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017075; rev:5;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole EK Variant Payload Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:3[0-2a-e8-9]\|[47][0-2]\|2[d-j]\|5[2-7]\|6[c-e]){5}&[^=]+=(?:3[0-2a-e8-9]\|[47][0-2]\|2[d-j]\|5[2-7]\|6[c-e]){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017076; rev:8;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redirect to DotkaChef EK Landing"; flow:established,from_server; content:".js?cp="; http_header; fast_pattern:only; content:"302"; http_stat_code; pcre:"/^Location\x3a[^\r\n]+\/[A-Fa-f0-9]+\.js\?cp=/Hmi"; classtype:trojan-activity; sid:2017077; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Lucky7 Java Exploit URI Struct June 28 2013"; flow:established,to_server; content:" Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/[a-z]+\.php\?[a-z]+?=\d{7}&[a-z]+?=\d{7,8}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017078; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check GET Jul 01 2013"; flow:established,to_server; content:"GET"; http_method; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; content:"text="; http_uri; pcre:"/\?(s\|page\|id)=\d+&text=\d+$/U"; classtype:trojan-activity; sid:2017079; rev:1;) + +# +alert tcp any any -> any $HTTP_PORTS (msg:"ET INFO ClearTextAuth - HTTP - http_client_body contains pasa="; flow:established,to_server; content:"pasa="; http_client_body; pcre:"/pasa=(?!&)./Pi"; classtype:policy-violation; sid:2017080; rev:1;) + +# +alert tcp any any -> any $HTTP_PORTS (msg:"ET INFO ClearTextAuth - HTTP - http_uri contains pasa="; flow:established,to_server; content:"pasa="; http_uri; nocase; fast_pattern:only; pcre:"/(?<=(\?\|&))pasa=(?!&)./Ui"; classtype:policy-violation; sid:2017081; rev:2;) + +# +alert tcp any any -> any $HTTP_PORTS (msg:"ET INFO ClearTextAuth - HTTP - http_client_body contains pasa form"; flow:established,to_server; content:"name=\|22\|pasa\|22\|"; http_client_body; classtype:policy-violation; sid:2017082; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GOD Hacker"; flow:established,to_client; file_data; content:"GOD Hacker"; classtype:trojan-activity; sid:2017083; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - GODSpy title"; flow:established,to_client; file_data; content:"GODSpy</title>"; classtype:trojan-activity; sid:2017084; rev:2;) + +# +alert tcp any any -> any any (msg:"ET WEB_SERVER WebShell - GODSpy - Cookie"; flow:established; content:"godid="; http_cookie; content:"godid="; fast_pattern:only; classtype:trojan-activity; sid:2017085; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - GODSpy - MySQL"; flow:established,to_server; content:"dbhost="; http_client_body; content:"dbuser="; http_client_body; content:"dbpass="; classtype:trojan-activity; sid:2017086; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - GODSpy - Auth Prompt"; flow:established,to_client; file_data; content:"name=\|22\|haz\|22\| value=\|22\|pasa\|22\|>"; classtype:trojan-activity; sid:2017087; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - GODSPy - Auth Creds"; flow:established,to_server; content:"ctr="; http_client_body; content:"haz=pasa"; http_client_body; classtype:trojan-activity; sid:2017088; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Pouya - Pouya_Server Shell"; flow:established,to_client; file_data; content:"Pouya_Server Shell"; classtype:trojan-activity; sid:2017089; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Pouya - URI - raiz"; flow:established,to_server; content:".asp?raiz="; http_uri; classtype:trojan-activity; sid:2017090; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Pouya - URI - action="; flow:established,to_server; content:".asp?action="; http_uri; nocase; fast_pattern:only; pcre:"/\.asp\?action=(?:txt(?:edit\|view)\|upload\|info\|del)(&\|$)/Ui"; classtype:trojan-activity; sid:2017091; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack Jar Download Jul 01 2013"; flow:established,to_client; content:"j51"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s?(?P<q>[\x22\x27]?)j51[a-f0-9]{21}\.jar(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017092; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack EXE Download Jul 01 2013"; flow:established,to_client; content:"e51"; http_header; nocase; content:".exe"; http_header; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]+?=\s?(?P<q>[\x22\x27]?)e51[a-f0-9]{21}\.exe(?P=q)\r?$/Hm"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017093; rev:1;) + +# +alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"\|07 06 10 00 00 00 00 00 00 00 00\|"; offset:3; depth:11; content:"\|00 00\|"; distance:2; within:2; content:"\|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00\|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar pipe.class"; flow:established,from_server; file_data; content:"PK"; within:2; content:"\|00\|pipe.class"; fast_pattern; content:"\|00\|inc.class"; content:"\|00\|fdp.class"; classtype:trojan-activity; sid:2017095; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar app.jar"; flow:established,to_server; content:"/app.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017096; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Malvertising Exploit Kit Hostile Jar cm2.jar"; flow:established,to_server; content:"/cm2.jar"; http_uri; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017097; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lucky7 EK Landing Encoded Plugin-Detect"; flow:established,from_server; file_data; content:"JTc1JTY3JTY5JTZlJTQ0JTY1JTc0JTY1JTYzJTc0JTJlJTY3JTY1JTc0JTU2JTY1JTcyJTcz"; classtype:trojan-activity; sid:2017098; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lucky7 EK IE Exploit"; flow:established,from_server; file_data; content:"<t\|3a\|ANIMATECOLOR"; nocase; fast_pattern:only; content:"JTQzJTZmJTZjJTZjJTY1JTYzJTc0JTQ3JTYxJTcyJTYyJTYxJTY3JTY1"; classtype:attempted-user; sid:2017099; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS /Styx EK - /jlnp.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jlnp.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017100; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS /Styx EK - /jovf.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jovf.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017101; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS /Styx EK - /jorg.html"; flow:established,to_server; content:!"&"; http_uri; content:"/jorg.html"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities; classtype:trojan-activity; sid:2017102; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format July 04 2013"; flow:established,to_server; content:"GET"; http_method; content:"/s"; depth:2; http_uri; pcre:"/^\/s[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?d[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017104; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing Applet Jul 05 2013"; flow:established,to_client; file_data; content:"<applet "; nocase; fast_pattern:only; content:"\|3b\|document.write("; nocase; pcre:"/^[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)[^\x3b]+?\+[a-z]+?\.substring([^)]+?)/Rsi"; classtype:trojan-activity; sid:2017106; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe pull"; flow:established,to_server; content:"GET"; http_method; content:"FlashPlayerSetup.x86.exe"; http_uri; content:".swf\|0d 0a\|"; http_header; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017107; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin UA"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\|3a\| risp\|0d 0a\|"; http_header; flowbits:set,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017108; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlashPlayerSetup.x86.exe checkin response 2"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"var begenilecek_sayfalar"; depth:28; flowbits:isset,FlashPlayerSetupUA; reference:url,blog.avast.com/2013/07/03/fake-flash-player-installer; classtype:trojan-activity; sid:2017109; rev:1;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet structure Jul 05 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; fast_pattern; content:"000000000000000000\|22\| name=\|22\|WindowSize"; distance:0; content:"000000000000000000\|22\| name=\|22\|WindowSize"; distance:0; content:"000000000000000000\|22\| name=\|22\|WindowSize"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017110; rev:6;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBulletin Backdoor CMD inbound"; flow:established,to_server; content:"HTTP_ECMDE\|3a\|"; http_header; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017111; rev:3;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBulletin Backdoor C2 URI Structure"; flow:established,to_server; content:"/ss?t=f&"; http_uri; depth:8; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017112; rev:3;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS VBulletin Backdoor C2 Domain "; flow:established,to_server; content:"adabeupdate.com\|0d 0a\|"; http_header; reference:url,blog.sucuri.net/2013/07/vbulletin-infections-from-adabeupdate.html; classtype:trojan-activity; sid:2017113; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>\|0d 0a\|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">\|0d 0a\|<h"; within:6; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{12,16}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017114; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet July 08 2013"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]+?(?P<dot>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<p>(?!(?P=dot))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<h>(?!((?P=p)\|(?P=dot)))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=p).+?value[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]+?(?P=dot)([^a-f0-9]{2}){1,20}(?P<e>[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P<x>(?!(?P=e))[a-f0-9]{2})([^a-f0-9]{2}){1,20}(?P=e)(([^a-f0-9]{2}){1,20})?[\x22\x27]/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017115; rev:8;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet July 08 2013"; flow:established,from_server; file_data; content:" Passage to India "; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017116; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit Plugin-Detect July 08 2013"; flow:established,from_server; file_data; content:"cGRwZD17dmVyc2lvbjoiMC4"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017117; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"getVersion("; content:"<applet"; fast_pattern; distance:0; nocase; pcre:"/^((?!(?i:<\/applet>)).)+?[\r\n\s]archive[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017118; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritX/SafePack Java Exploit Payload June 03 2013"; flow:established,to_server; content:" Java/1."; nocase; http_header; content:".php?"; http_uri; nocase; fast_pattern:only; pcre:"/\/[a-z0-9]{3}\.php\?[a-z]=[a-zA-Z0-9]{10}$/U"; classtype:trojan-activity; sid:2017119; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:established,from_server; file_data; content:"WARNING\|21\| You should update your Flash Player Immediately"; classtype:trojan-activity; sid:2017122; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Adobe Flash Player malware binary requested"; flow:established,to_server; content:"&filename=Flash Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017123; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Wordpress Injection"; flow:established,to_client; file_data; content:"15,15,155,152,44,54"; classtype:trojan-activity; sid:2017124; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free CVE-2013-3163"; flow:established,from_server; file_data; content:"<bdo"; nocase; pcre:"/^[\r\n\s\+\>]((?!<\/bdo>).)?<fieldset[\r\n\s\+\>]((?!<\/fieldset>).)?<\/bdo>/Rsi"; reference:cve,2013-3163; classtype:attempted-user; sid:2017133; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable FlimKit Redirect July 10 2013"; flow:established,to_server; content:"/b.swf\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/^Referer\x3a[^\r\n]+\/b.swf\r$/Hm"; flowbits:set,FlimKit.SWF.Redirect; classtype:trojan-activity; sid:2017125; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing July 10 2013"; flow:established,from_server; file_data; flowbits:isset,FlimKit.SWF.Redirect; content:".substring("; fast_pattern:only; nocase; content:"document.write("; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; content:".substring("; distance:0; nocase; classtype:trojan-activity; sid:2017126; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JJEncode Encoded Script"; flow:established,from_server; file_data; content:"$$$$\|3a\|(![]+\|22 22\|)["; pcre:"/^(?P<global_var>((?!(\]\,__\$\x3a\+\+)).)+)]\,__\$\x3a\+\+(?P=global_var)/R"; classtype:bad-unknown; sid:2017127; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Expiro Trojan Check-in"; flow:to_server,established; content:"POST"; http_method; content:".NET CLR 00000000/00000000)"; http_header; classtype:trojan-activity; sid:2017128; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Interent Explorer Use After Free CVE-2013-3163"; flow:established,from_server; file_data; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]?=[\r\n\s\+]?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]?=[\r\n\s\+]?[^\)]+\.createElement$.+?\.body.appendChild\([\r\n\s]?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]?$.+\b(?P=var)\.innerHTML[\r\n\s\+]?=[\r\n\s\+]?(?P<q>[\x22\x27])(?P=q)/Rsi"; content:"CollectGarbage("; fast_pattern; nocase; distance:0; content:"eval("; distance:0; nocase; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017129; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential Interent Explorer Use After Free CVE-2013-3163 2"; flow:established,from_server; file_data; content:"CollectGarbage("; fast_pattern:only; nocase; content:".contentEditable"; nocase; pcre:"/^[\r\n\s\+]?=[\r\n\s\+]?true/Ri"; content:"var"; pcre:"/^[\r\n\s\+]+?(?P<var>[^\r\n\s\+\x3d]+)[\r\n\s\+]?=[\r\n\s\+]?[^\)]+\.createElement$.+?\.appendChild\([\r\n\s]?[\x22\x27]?(?P=var)[\x22\x27]?[\r\n\s]?$.+\b(?P=var)\.innerHTML[\r\n\s\+]?=[\r\n\s\+]?(?P<q>[\x22\x27])(?P=q).+?CollectGarbage\(.+?\b(?P=var)\./Rsi"; reference:cve,2013-3163; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017130; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Interent Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; content:"/vid.aspx?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/vid\.aspx\?id=[a-zA-Z0-9]+$/Ui"; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:1;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - GIF Header With HTML Form"; flow:established,to_client; file_data; content:"GIF89a"; within:6; content:"<form "; nocase; fast_pattern; within:150; classtype:trojan-activity; sid:2017134; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PHISH Remax - function Validate"; flow:established,to_client; file_data; content:"function ValidateFormAol()"; fast_pattern:6,20; classtype:trojan-activity; sid:2017135; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Gamevance.AV Checkin"; flow:established,to_server; content:"/aj/ireport.php?p=u7G3"; http_uri; fast_pattern:only; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:trojan-activity; sid:2017136; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Cryptmen FakAV page Title"; flow:established,from_server; file_data; content:"<title>Viruses were found on your computer</title>"; classtype:trojan-activity; sid:2017137; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack - Java JNLP Requested"; flow:established,to_server; urilen:>70; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jnlp$/Ui"; classtype:trojan-activity; sid:2017138; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef JJencode Script URI Struct"; flow:established,to_server; content:"voDc0RHa8NnZ"; http_uri; fast_pattern:only; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?voDc0RHa8NnZ$/U"; classtype:trojan-activity; sid:2017139; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole EK Jar Download URI Struct"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,16}[_-][a-z]{2,16}([_-][a-z]{2,16})?\|[a-z]{16,20}\/[a-z]{16,20}\|closest\/[a-z0-9]+)\.php\?[A-Za-z0-9\!\\-\_]+=[A-Za-z0-9\!\\-\_]+&[A-Za-z0-9\!\\-\_]+=[A-Za-z0-9\!\\-\_]+$/U"; classtype:trojan-activity; sid:2017140; rev:7;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole EK Plugin-Detect July 12 2013"; flow:established,from_server; file_data; content:"4CMiojbvl2cyVmd71DZwRGc"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017141; rev:2;) + +# +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Arachni Web Scan"; flow:established,to_server; content:"/Arachni-"; http_uri; threshold: type limit, track by_src, seconds 60, count 1; reference:url,www.arachni-scanner.com/; classtype:attempted-recon; sid:2017142; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER CRLF Injection - Newline Characters in URL"; flow:established,to_server; content:"\|0D 0A\|"; fast_pattern:only; http_uri; pcre:"/[\n\r](?:content-(type\|length)\|set-cookie\|location)\x3a/Ui"; reference:url,www.owasp.org/index.php/CRLF_Injection; classtype:web-application-attack; sid:2017143; rev:2;) + +# +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Double Content-Length Headers"; flow:established,to_server; content:"Content-Length\|3A\|"; http_header; content:"Content-Length\|3A\|"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017146; rev:2;) + +# +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER HTTP Request Smuggling Attempt - Two Transfer-Encoding Values Specified"; flow:established,to_server; content:"Transfer-Encoding"; http_header; content:"Transfer-Encoding"; http_header; within:100; reference:url,www.owasp.org/index.php/HTTP_Request_Smuggling; classtype:web-application-attack; sid:2017147; rev:2;) + +# +alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; content:"502"; http_stat_code; content:"Bad gateway"; http_stat_msg; file_data; content:"Burp proxy error\|3A 20\|"; within:18; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - phpBB Injection"; flow:established,to_server; content:".js?"; http_uri; content:"&"; distance:6; within:1; http_uri; pcre:"/\/[0-9]{6}\.js\?[0-9]{6}&[0-9a-f]{16}$/Ui"; classtype:trojan-activity; sid:2017149; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".exe?"; fast_pattern:only; nocase; content:"<script"; nocase; content:"http\|3a 2f 2f\|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?[A-Za-z0-9\/\_\-]{60,}\.exe\?/R"; classtype:trojan-activity; sid:2017151; rev:11;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool PDF July 15 2013"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".txt?e="; fast_pattern:only; nocase; content:"<script"; nocase; content:"http\|3a 2f 2f\|"; distance:0; pcre:"/^[^\x3b\r\n\x22\x27]+?\.txt\?e=\d+(&[fh]=\d)?/R"; classtype:trojan-activity; sid:2017150; rev:11;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit Jar URI Struct"; flow:established,to_server; content:" Java/1."; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^[^\/]?\/[a-f0-9]{8}[a-z0-9]+\.jar$/U"; pcre:"/\d/U"; pcre:"/[a-f]/U"; classtype:trojan-activity; sid:2017152; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlimKit JNLP URI Struct"; flow:established,to_server; content:".pl\|0d 0a\|"; http_header; content:" Java/1."; http_header; content:".jnlp"; http_uri; fast_pattern:only; pcre:"/^[^\/]?\/[a-z0-9]{9,16}\.jnlp$/U"; pcre:"/\d/U"; pcre:"/[a-z]/U"; classtype:trojan-activity; sid:2017153; rev:1;) + +# +#alert tcp any any -> $HOME_NET 3128 (msg:"ET DOS Squid-3.3.5 DoS"; flow:established,to_server; content:"Host\|3a\| "; http_header; pcre:"/^Host\x3a[^\x3a\r\n]+?\x3a[^\r\n]{6}/Hmi"; classtype:attempted-dos; sid:2017154; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; content:"redirect\|3a 25\|"; http_uri; content:"{"; http_uri; distance:0; pcre:"/[\?&]redirect\x3a\x25/U"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017155; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; content:"redirectAction\|3a 25\|"; http_uri; content:"{"; http_uri; distance:0; pcre:"/[\?&]redirectAction\x3a\x25/U"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017156; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; content:"action\|3a 25\|"; http_uri; content:"{"; http_uri; distance:0; pcre:"/[\?&]action\x3a\x25/U"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017157; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan - TCP"; flow:established,to_server; content:"\|0D 0A\|User-Agent\|3A 20\|sipcli/"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017161; rev:1;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN SipCLI VOIP Scan"; content:"\|0D 0A\|User-Agent\|3A 20\|sipcli/"; fast_pattern:only; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.yasinkaplan.com/SipCli/; classtype:attempted-recon; sid:2017162; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE signed-unsigned integer mismatch code-verification bypass"; flow:from_server,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; file_data; content:"PK"; depth:2; content:"\|FD FF\|"; distance:26; within:2; content:".dex"; nocase; within:128; reference:url,sophos.com/2013/07/17/anatomy-of-another-android-hole-chinese-researchers-claim-new-code-verification-bypass/; classtype:trojan-activity; sid:2017163; rev:1;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"keyStr = \|22\|"; content:!"\|22\|"; within:65; content:"\|22\|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017164; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JS Browser Based Ransomware"; flow:established,from_server; file_data; content:"YOUR BROWSER HAS BEEN LOCKED.\|5c\|n\|5c\|nALL PC DATA WILL BE DETAINED"; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; reference:url,www.f-secure.com/weblog/archives/00002577.html; classtype:trojan-activity; sid:2017165; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost Zip as Applet Archive July 08 2013"; flow:established,from_server; file_data; content:"jquery.js"; content:"archive"; fast_pattern; distance:0; nocase; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]+?\.zip[\x22\x27]/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017166; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS X20 EK Landing July 22 2013"; flow:established,from_server; file_data; content:"&7&.y\|22\|></param></applet></table></body></html>"; nocase; classtype:trojan-activity; sid:2017167; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"applet"; nocase; fast_pattern:only; content:".substring("; content:"\|3b\|document.write("; nocase; distance:0; content:"\|3b\|var "; pcre:"/^\s?(?P<var>[a-z]{3,6})\s?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]?\x3bdocument\.write$(?P=var)$\x3b<\/script>/R"; classtype:trojan-activity; sid:2017168; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 2"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"param"; nocase; fast_pattern:only; content:".substring("; content:"\|3b\|document.write("; nocase; distance:0; content:"\|3b\|var "; pcre:"/^\s?(?P<var>[a-z]{3,6})\s?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]?\x3bdocument\.write$(?P=var)$\x3b<\/script>/R"; classtype:trojan-activity; sid:2017169; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 3"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:"jnlp_"; nocase; fast_pattern:only; content:".substring("; content:"\|3b\|document.write("; nocase; distance:0; content:"\|3b\|var "; pcre:"/^\s?(?P<var>[a-z]{3,6})\s?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]?\x3bdocument\.write$(?P=var)$\x3b<\/script>/R"; classtype:trojan-activity; sid:2017170; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing 07/22/13 4"; flow:established,to_client; flowbits:isnotset,FlimKit.Landing; flowbits:set,FlimKit.Landing; file_data; content:".jar"; nocase; fast_pattern:only; content:".substring("; content:"\|3b\|document.write("; nocase; distance:0; content:"\|3b\|var "; pcre:"/^\s?(?P<var>[a-z]{3,6})\s?=[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]+?\+[a-z]{3,6}\.substring([^)]+?)[^\x3b\n]?\x3bdocument\.write$(?P=var)$\x3b<\/script>/R"; classtype:trojan-activity; sid:2017171; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_uri; nocase; classtype:attempted-user; sid:2017172; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; content:"java.lang.ProcessBuilder("; http_client_body; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect"; flow:established,to_server; content:".action"; http_uri; content:"redirect\|3a\|"; http_client_body; content:"{"; http_client_body; distance:0; pcre:"/\bredirect\x3a/P"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017174; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction"; flow:established,to_server; content:".action"; http_uri; content:"redirectAction\|3a\|"; http_client_body; content:"{"; http_client_body; pcre:"/\bredirectAction\x3a/P"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017175; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action"; flow:established,to_server; content:".action"; http_uri; content:"action\|3a\|"; http_client_body; content:"{"; http_client_body; distance:0; pcre:"/\baction\x3a/P"; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017176; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Rawin - Landing Page Received"; flow:established,to_client; file_data; content:"<body bgcolor=\|22\|"; pcre:"/^[0-9a-f]{6}/Ri";content:"\|22 20\|>\|0a\|<applet"; within:11; fast_pattern; classtype:trojan-activity; sid:2017177; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino Java Payload Download"; flow:established,to_server; content:" Java/1."; http_header; content:"/j"; http_uri; content:"?l"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017179; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino Java Payload Download 2"; flow:established,to_server; content:" Java/1."; http_header; content:"/j"; http_uri; pcre:"/\/j[a-z]+?\?l[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017180; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sibhost/FlimKit/Glazunov Jar with lowercase class names"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK\|01 02\|"; pcre:"/PK\x01\x02.{42}(?P<dir>[a-z]{7,}\/)([a-z$]+\.class)?(\xfe\xca\x00\x00)?(PK\x01\x02.{42}(?P=dir)[a-z$]+\.class){6,}(PK\x01\x02.{42}[0-9a-z$]{5,}(\.[a-z]{3})?)?PK\x05\x06.{18}$/s"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017181; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Possible CritXPack - Landing Page - jnlp_embedded"; flow:established,to_client; file_data; content:"jnlp_embedded\|3a 22\|PD94b"; classtype:trojan-activity; sid:2017182; rev:2;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell ASPXShell - Title"; flow:established,to_client; file_data; content:"<title>ASPX Shell</title>"; classtype:trojan-activity; sid:2017183; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017184; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017185; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 3"; flow:established,to_client; file_data; content:"/0c0896/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017186; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1"; flow:established,to_client; file_data; content:"<!--0c0896-->"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017187; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2"; flow:established,to_client; file_data; content:"#0c0896#"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017188; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3"; flow:established,to_client; file_data; content:"/0c0896/"; fast_pattern; content:"split"; distance:0; classtype:trojan-activity; sid:2017189; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kelihos.F exe Download 2"; flow:to_server,established; content:"GET"; http_method; urilen:<13; content:".exe"; fast_pattern:only; http_uri; pcre:"/^\/[^\x2f]+?\.exe$/Ui"; content:"User-Agent\|3a\| "; depth:12; http_header; content:"\|0d 0a\|Host\|3a\| "; distance:0; http_header; content:".ru\|0d 0a\|Cache-Control\|3a\| no-cache\|0d 0a 0d 0a\|"; distance:0; http_header; pcre:"/^User-Agent\x3a [^\r\n]+?\r\nHost\x3a [^\r\n]+?\.ru\r\nCache-Control\|3a\| no-cache\r\n\r\n$/H"; content:!"Accept"; http_header; content:!"Referer"; http_header; reference:md5,1303188d039076998b170fffe48e4cc0; classtype:trojan-activity; sid:2017190; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kelihos.F Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:<13; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[^\x2f]+?\.htm$/U"; content:!"BridgitAgent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; content:!"Content-Type"; http_header; content:"Content-Length\|3a 20\|"; content:!"0\|0d 0a\|"; within:3; content:"\|0d 0a\|"; distance:0; reference:md5,00db349caf2eefc3be5ee30b8b8947a2; classtype:trojan-activity; sid:2017191; rev:2;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)\|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017192; rev:2;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Outbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)\|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017193; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]?[\x22\x27](?P<space>[0-7]{1,3})(?P<sep>[^0-9a-f])(?P<f>[0-7]{1,3})(?P=sep)[0-7]{1,3}(?P=sep)(?P<n>(?!(?P=f))[0-7]{1,3})(?P=sep)([0-7]{1,3}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)\|(?P=n)))[0-7]{1,3})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017194; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response Hex (Inbound)"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; content:"="; distance:0; pcre:"/^[^\x22\x27\x3b]?[\x22\x27](?P<space>[a-f0-9]{2})(?P<sep>[^0-9a-f])(?P<f>[a-f0-9]{2})(?P=sep)[a-f0-9]{2}(?P=sep)(?P<n>(?!(?P=f))[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){4}(?P=n)(?P=sep)(?P=space)(?P=sep)(?P<z>(?!((?P=f)\|(?P=n)))[a-f0-9]{2})(?P=sep)(?P=z)(?P=sep)(?P=z)(?P=sep)(?P=f)(?P=sep)(?P=f)(?P=sep)(?P=f)/R"; classtype:trojan-activity; sid:2017195; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Crossrider Spyware Checkin"; flow:established,to_server; content:"/updater/"; http_uri; depth:9; content:"/update.json?rnd="; http_uri; distance:32; within:18; content:!"User-Agent"; http_header; classtype:trojan-activity; sid:2017196; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JNLP embedded file"; flow:established,to_client; file_data; content:"jnlp"; content:"PD94bWwgdmVyc2lvbj0"; distance:0; classtype:bad-unknown; sid:2017197; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Reversed Embedded JNLP Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"deddebme_plnj"; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017198; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java UA Requesting Numeric.ext From Base Dir (Observed in Redkit/Sakura)"; flow:established,to_server; content:!"/404."; http_uri; depth:5; content:"Java/1."; http_header; pcre:"/^\/\d{2,}\.[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2017199; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download"; flow:established,to_client; content:"Content-Type\|3a\| application/x-java-archive\|0d 0a\|"; http_header; content:"Sun, 28 Jul 2002 "; fast_pattern; classtype:trojan-activity; sid:2017200; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 (Reversed)"; flow:established,to_client; file_data; content:"lRXYklGbhZ3X2N3cfRXZsBHch91X"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017201; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass (Reversed)"; flow:established,to_client; file_data; content:"detadilav_vss_telppa__"; nocase; distance:0; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017202; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2 (Reversed)"; flow:established,to_client; file_data; content:"0FGZpxWY29ldzN3X0VGbwBXYf9"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017203; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3 (Reversed)"; flow:established,to_client; file_data; content:"kVGdhRWasFmdfZ3cz9FdlxGcwF2Xf"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2017204; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])\|_+([a-z0-9])([a-z0-9_])))[\r\n\s]\x3d[\r\n\s]CreateObject$\s[\x22\x27]Wscript\.Shell[\x27\x22]\s$.+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 1"; flow:established,from_server; file_data; content:"\|22\|e\|22\|+\|22\|val\|22\|"; classtype:trojan-activity; sid:2017206; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 2"; flow:established,from_server; file_data; content:"\|22\|ev\|22\|+\|22\|al\|22\|"; classtype:trojan-activity; sid:2017207; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 3"; flow:established,from_server; file_data; content:"\|22\|e\|22\|+\|22\|v\|22\|+\|22\|al\|22\|"; classtype:trojan-activity; sid:2017208; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 4"; flow:established,from_server; file_data; content:"\|22\|e\|22\|+\|22\|v\|22\|+\|22\|a\|22\|+\|22\|l\|22\|"; classtype:trojan-activity; sid:2017209; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 5"; flow:established,from_server; file_data; content:"\|22\|ev\|22\|+\|22\|a\|22\|+\|22\|l\|22\|"; classtype:trojan-activity; sid:2017210; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 6"; flow:established,from_server; file_data; content:"\|22\|e\|22\|+\|22\|va\|22\|+\|22\|l\|22\|"; classtype:trojan-activity; sid:2017211; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 1"; flow:established,from_server; file_data; content:"\|27\|e\|27\|+\|27\|val\|27\|"; classtype:trojan-activity; sid:2017212; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 2"; flow:established,from_server; file_data; content:"\|27\|ev\|27\|+\|27\|al\|27\|"; classtype:trojan-activity; sid:2017213; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 3"; flow:established,from_server; file_data; content:"\|27\|eva\|27\|+\|27\|l\|27\|"; classtype:trojan-activity; sid:2017214; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 4"; flow:established,from_server; file_data; content:"\|27\|e\|27\|+\|27\|v\|27\|+\|27\|al\|27\|"; classtype:trojan-activity; sid:2017215; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 5"; flow:established,from_server; file_data; content:"\|27\|e\|27\|+\|27\|v\|27\|+\|27\|a\|27\|+\|27\|l\|27\|"; classtype:trojan-activity; sid:2017216; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 6"; flow:established,from_server; file_data; content:"\|27\|ev\|27\|+\|27\|a\|27\|+\|27\|l\|27\|"; classtype:trojan-activity; sid:2017217; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String (Single Q) 7"; flow:established,from_server; file_data; content:"\|27\|e\|27\|+\|27\|va\|27\|+\|27\|l\|27\|"; classtype:trojan-activity; sid:2017218; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Eval String 7"; flow:established,from_server; file_data; content:"\|22\|eva\|22\|+\|22\|l\|22\|"; classtype:trojan-activity; sid:2017219; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 1"; flow:established,from_server; file_data; content:"\|27\|s\|27\|+\|27\|plit\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017220; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 2"; flow:established,from_server; file_data; content:"\|27\|sp\|27\|+\|27\|lit\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017221; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 3"; flow:established,from_server; file_data; content:"\|27\|s\|27\|+\|27\|p\|27\|+\|27\|lit\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017222; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 4"; flow:established,from_server; file_data; content:"\|27\|spl\|27\|+\|27\|it\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017223; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 5"; flow:established,from_server; file_data; content:"\|27\|sp\|27\|+\|27\|l\|27\|+\|27\|it\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017224; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 6"; flow:established,from_server; file_data; content:"\|27\|s\|27\|+\|27\|pl\|27\|+\|27\|it\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017225; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 7"; flow:established,from_server; file_data; content:"\|27\|s\|27\|+\|27\|p\|27\|+\|27\|l\|27\|+\|27\|it\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017226; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 8"; flow:established,from_server; file_data; content:"\|27\|spli\|27\|+\|27\|t\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017227; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 9"; flow:established,from_server; file_data; content:"\|27\|sp\|27\|+\|27\|l\|27\|+\|27\|i\|27\|+\|27\|t\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017228; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 10"; flow:established,from_server; file_data; content:"\|27\|sp\|27\|+\|27\|li\|27\|+\|27\|t\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017229; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 11"; flow:established,from_server; file_data; content:"\|27\|spl\|27\|+\|27\|i\|27\|+\|27\|t\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017230; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 12"; flow:established,from_server; file_data; content:"\|27\|s\|27\|+\|27\|pli\|27\|+\|27\|t\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017231; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Single Q) 13"; flow:established,from_server; file_data; content:"\|27\|s\|27\|+\|27\|p\|27\|+\|27\|l\|27\|+\|27\|i\|27\|+\|27\|t\|27\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017232; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 1"; flow:established,from_server; file_data; content:"\|22\|s\|22\|+\|22\|plit\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017233; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 2"; flow:established,from_server; file_data; content:"\|22\|sp\|22\|+\|22\|lit\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017234; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 3"; flow:established,from_server; file_data; content:"\|22\|s\|22\|+\|22\|p\|22\|+\|22\|lit\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017235; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 4"; flow:established,from_server; file_data; content:"\|22\|spl\|22\|+\|22\|it\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017236; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 5"; flow:established,from_server; file_data; content:"\|22\|sp\|22\|+\|22\|l\|22\|+\|22\|it\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017237; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 6"; flow:established,from_server; file_data; content:"\|22\|s\|22\|+\|22\|pl\|22\|+\|22\|it\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017238; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 7"; flow:established,from_server; file_data; content:"\|22\|s\|22\|+\|22\|p\|22\|+\|22\|l\|22\|+\|22\|it\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017239; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 8"; flow:established,from_server; file_data; content:"\|22\|spli\|22\|+\|22\|t\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017240; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 9"; flow:established,from_server; file_data; content:"\|22\|sp\|22\|+\|22\|l\|22\|+\|22\|i\|22\|+\|22\|t\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017241; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 10"; flow:established,from_server; file_data; content:"\|22\|sp\|22\|+\|22\|li\|22\|+\|22\|t\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017242; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 11"; flow:established,from_server; file_data; content:"\|22\|spl\|22\|+\|22\|i\|22\|+\|22\|t\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017243; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 12"; flow:established,from_server; file_data; content:"\|22\|s\|22\|+\|22\|pli\|22\|+\|22\|t\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017244; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated Split String (Double Q) 13"; flow:established,from_server; file_data; content:"\|22\|s\|22\|+\|22\|p\|22\|+\|22\|l\|22\|+\|22\|i\|22\|+\|22\|t\|22\|"; nocase; flowbits:set,ET.JS.Obfus.Func; classtype:bad-unknown; sid:2017245; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct"; flow:established,to_server; content:".php?label="; http_uri; nocase; fast_pattern:only; pcre:"/\.php\?label=(?:[A-Za-z0-9+/]{4})(?:[A-Za-z0-9+/]{2}==\|[A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{4})$/Ui"; classtype:trojan-activity; sid:2017258; rev:4;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017246; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c0896 Hacked Site Response (Inbound) 4"; flow:established,to_client; file_data; content:"0c0896"; fast_pattern; flowbits:isset,ET.JS.Obfus.Func; classtype:trojan-activity; sid:2017247; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PluginDetect plus Java version check"; flow:established,from_server; file_data; content:"PluginDetect"; pcre:"/if.{1,10}[<>]=?\s(?P<quot>[\x22\x27])1(?P<sep>[^0-9a-zA-Z])7((?P=sep)\d+)?(?P=quot).{1,10}[<>]=?\s(?P=quot)1(?P=sep)7((?P=sep)\d+)?(?P=quot)/s"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017248; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded Applet (Observed in Sakura)"; flow:established,from_server; file_data; content:"\|25\|61\|25\|70\|25\|70\|25\|6c\|25\|65\|25\|74"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017249; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded jnlp_embedded (Observed in Sakura)"; flow:established,from_server; file_data; content:"\|25\|6a\|25\|6e\|25\|6c\|25\|70\|25\|5f\|25\|65\|25\|6d\|25\|62\|25\|65\|25\|64\|25\|64\|25\|65\|25\|64"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017250; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"\|25\|61\|25\|70\|25\|70\|25\|6c\|25\|65\|25\|74\|25\|5f\|25\|73\|25\|73\|25\|76\|25\|5f\|25\|76\|25\|61\|25\|6c\|25\|69\|25\|64\|25\|61\|25\|74\|25\|65\|25\|64"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017251; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 1 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"\|25\|58\|25\|31\|25\|39\|25\|68\|25\|63\|25\|48\|25\|42\|25\|73\|25\|5a\|25\|58\|25\|52\|25\|66\|25\|63\|25\|33\|25\|4e\|25\|32\|25\|58\|25\|33\|25\|5a\|25\|68\|25\|62\|25\|47\|25\|6c\|25\|6b\|25\|59\|25\|58\|25\|52\|25\|6c"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017252; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 2 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"\|25\|39\|25\|66\|25\|59\|25\|58\|25\|42\|25\|77\|25\|62\|25\|47\|25\|56\|25\|30\|25\|58\|25\|33\|25\|4e\|25\|7a\|25\|64\|25\|6c\|25\|39\|25\|32\|25\|59\|25\|57\|25\|78\|25\|70\|25\|5a\|25\|47\|25\|46\|25\|30"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017253; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS %Hex Encoded/base64 3 applet_ssv_validated (Observed in Sakura)"; flow:established,from_server; file_data; content:"\|25\|66\|25\|58\|25\|32\|25\|46\|25\|77\|25\|63\|25\|47\|25\|78\|25\|6c\|25\|64\|25\|46\|25\|39\|25\|7a\|25\|63\|25\|33\|25\|5a\|25\|66\|25\|64\|25\|6d\|25\|46\|25\|73\|25\|61\|25\|57\|25\|52\|25\|68\|25\|64\|25\|47\|25\|56\|25\|6b"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017254; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake FedEX/Pony spam campaign URI Struct 2"; flow:established,to_server; content:"/img/info.php?info="; http_uri; nocase; classtype:trojan-activity; sid:2017257; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic - POST To .php w/Extended ASCII Characters"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"Referer\|3a\|"; http_header; content:"www-form-urlencoded\|0d 0a\|"; http_header; content:" MSIE "; http_header; pcre:"/[\x80-\xff]/P"; classtype:trojan-activity; sid:2017259; rev:9;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell Generic - ASP File Uploaded"; flow:established,to_server; content:"\|0D 0A\|"; http_client_body; content:"<%"; within:5; http_client_body; fast_pattern; content:"%>"; http_client_body; distance:0; pcre:"/<%[\x00-\x7f]{20}/P"; classtype:trojan-activity; sid:2017260; rev:10;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojanDownloader.Win32/Dofoil.U Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; nocase; fast_pattern:only; content:!"Referer\|3a\|"; http_header; content:"User-Agent\|3a\|"; depth:11; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?\bMSIE\b/Hi"; pcre:"/application/x-www-form-urlencoded\r\n(\r\n)?$/Hi"; pcre:"/^\d+$/P"; classtype:trojan-activity; sid:2017261; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Comfoo Checkin"; flow:established,to_server; content:"GET "; depth:4; pcre:"/^\/[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{5}\/\d+\/\d{2}[a-zA-Z0-9\+\/]+={0,2}\/[a-zA-Z0-9\+\/]+={0,2}\d{3}\/\sHTTP\//R"; pcre:"/^User-Agent\x3a[^\r\n]?\x3bWindows/mi"; content:"\|3b\|Windows"; nocase; fast_pattern:only; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2017262; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StealRat Checkin"; flow:established,to_server; content:"/d/"; http_uri; depth:3; fast_pattern; content:".jpg"; http_uri; distance:0; pcre:"/^\/d\/[a-z]+\d+\.jpg$/U"; content:!"Referer\|3a\|"; http_header; content:"Host\|3a 20\|www.google.com\|0d 0a\|"; nocase; http_header; classtype:trojan-activity; sid:2017263; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CBReplay Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; urilen:10; content:"filename="; http_client_body; content:!"Referer\|3a\|"; http_header; content:!"User-Agent\|3a\|"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; pcre:"/filename=\x22\d+?\x22/P"; classtype:trojan-activity; sid:2017264; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Non-standard base64 Key"; flow:established,from_server; file_data; content:"var "; content:" = \|22\|"; within:10; content:!"\|22\|"; within:65; content:"\|22\|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; content:" & 15) << 4)"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017265; rev:5;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format Sep 30 2013"; flow:established,to_server; content:"GET"; http_method; content:"/k"; depth:2; http_uri; content:"?e"; http_uri; pcre:"/^\/k[a-z]{4,13}\?e[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017266; rev:6;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino Java Exploit Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:"/j"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/j[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017267; rev:5;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino Java Payload Download Sep 30 2013"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:"/f"; http_uri; content:"?f"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?f[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017268; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CBReplay.P Ransomware"; flow:established,to_server; content:"MSIE 9.0\|3b\|"; fast_pattern:only; http_header; content:!"Accept\|3a\|"; http_header; content:"User-Agent\|3a\|"; depth:11; http_header; urilen:33; pcre:"/^\/[a-f0-9]{32}$/U"; pcre:"/^User-Agent\x3a[^\r\n]+?\sMSIE\s[^\r\n]+\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n(\r\n)?$/Hi"; classtype:trojan-activity; sid:2017269; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Payload Aug 02 2013"; flow:established,to_client; file_data; content:"<applet"; content:" value"; distance:0; nocase; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27]http\x3a\/\/[^\/]+?\/\?[A-Za-z0-9]+=[A-Za-z0-9%]{60,}[\x22\x27]/R"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2017270; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Plugin-Detect with global % replace on unescaped string (Sakura)"; flow:established,to_client; file_data; content:"PluginDetect.getVersion"; fast_pattern; content:"unescape("; nocase; pcre:"/^[\r\n\s]?[\x22\x27][^\x22\x27]+?[\x22\x27]\.replace$[\r\n\s]?(?P<q1>[\x22\x27]?)\/.+?\/g[\r\n\s]?,[\r\n\s]?(?P<q2>[\x22\x27]?)%(?P=q2)[\r\n\s]?$/R"; classtype:trojan-activity; sid:2017271; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK Java (Old) /golem.jar"; flow:established,to_server; content:"/golem.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017272; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK Java 1.7 /caramel.jar"; flow:established,to_server; content:"/caramel.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017273; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/StealRat.SpamBot Configuration File Request"; flow:established,to_server; content:"/lts.txt"; fast_pattern:only; http_uri; pcre:"/^\x2Flts\x2Etxt$/U"; flowbits:set,et.stealrat.config; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017274; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/StealRat.SpamBot CnC Server Configuration File Response"; flowbits:isset,et.stealrat.config; flow:established,to_client; file_data; content:"<repo"; distance:0; content:"<dudp>"; within:50; content:"<\|2F\|dudp>"; within:100; content:"<pudp>"; within:50; content:"<\|2F\|pudp>"; within:100; content:"<tbd>"; within:50; content:"<dom>"; within:50; content:"<\|2F\|dom>"; within:100; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017275; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/StealRat.SpamBot Email Template Request"; flow:established,to_server; content:"/ae1.php"; fast_pattern:only; http_uri; content:"User-Agent\|3A\| Mozilla/5.0\|0D 0A\|"; http_header; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-stealrat.pdf; classtype:trojan-activity; sid:2017276; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action"; flow:established,to_server; content:"/${"; http_uri; fast_pattern:only; pcre:"/\/\$\{[^\}\x2c]+?=/U"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Apache Struts OGNL Expression Injection"; flow:to_server,established; content:"\|24 7b\|"; http_uri; content:"\|25 7b\|"; distance:0; http_uri; content:"\|7d\|"; distance:0; http_uri; pcre:"/${\s?%{/U"; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:web-application-attack; sid:2017278; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Rovnix.I Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/ld.aspx?key="; depth:13; http_uri; content:"User-Agent\|3a\| FWVersionTestAgent"; http_header; content:!"Accept\|3a\| "; nocase; http_header; content:!"Referer\|3a\| "; nocase; http_header; reference:md5,605daaa9662b82c0d5982ad3a742d2e7; classtype:trojan-activity; sid:2017279; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible OpenX Backdoor Backdoor Access POST to flowplayer"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/flowplayer-3.1.1.min.js"; http_uri; nocase; reference:url,blog.sucuri.net/2013/08/openx-org-compromised-and-downloads-injected-with-a-backdoor.html; classtype:trojan-activity; sid:2017280; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Ransom.Win32.Blocker.bjat"; flow:established,to_server; content:"?&"; http_uri; content:"User-Agent\|3a\| Update\|0d 0a\|"; http_header; content:!"Accept\|3a\|"; http_header; content:!"Referer\|3a\|"; http_header; classtype:trojan-activity; sid:2017281; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Microsoft Script Encoder Encoded File"; flow:established,from_server; file_data; content:"#@~^"; within:4; classtype:trojan-activity; sid:2017282; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - net user - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"net user"; within:200; classtype:trojan-activity; sid:2017283; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - net localgroup - PRIVMSG Command"; flow:established,from_server; content:"PRIVMSG "; content:"net localgroup"; within:200; classtype:trojan-activity; sid:2017284; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - net add PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"net"; within:200; content:"/add"; within:100; classtype:trojan-activity; sid:2017285; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - netsh - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"netsh"; within:50; classtype:trojan-activity; sid:2017286; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - ipconfig - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"ipconfig"; within:100; classtype:trojan-activity; sid:2017287; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ATTACKER IRCBot - reg - PRIVMSG Command "; flow:established,from_server; content:"PRIVMSG "; content:"reg "; within:50; content:"HKEY_"; within:20; classtype:trojan-activity; sid:2017288; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - The command completed successfully - PRIVMSG Response"; flow:established,from_client; content:"PRIVMSG "; content:"The command completed successfully."; distance:0; classtype:trojan-activity; sid:2017289; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - PRIVMSG Response - Directory Listing"; flow:established,from_client; content:"PRIVMSG "; content:" <DIR>"; within:200; classtype:trojan-activity; sid:2017290; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - PRIVMSG Response - net command output"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:trojan-activity; sid:2017291; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - PRIVMSG Response - ipconfig command output"; flow:established,from_client; content:"PRIVMSG "; content:"Windows IP"; within:200; classtype:trojan-activity; sid:2017292; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER - EXE File Uploaded - Hex Encoded"; flow:established,to_server; content:"4d5a"; nocase; http_client_body; content:"50450000"; distance:0; http_client_body; classtype:bad-unknown; sid:2017293; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Adobe PKG Download Flowbit Set"; flow:established,to_server; content:"pkg"; http_uri; content:"Host\|3a 20\|platformdl.adobe.com\|0d 0a\|"; http_header; nocase; flowbits:set,ET.Adobe.Site.Download; flowbits:noalert; classtype:misc-activity; sid:2017294; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated Java version check Jul 04 2013"; flow:established,from_server; file_data; content:"<html>\|0d 0a\|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">\|0d 0a\|<div"; within:8; pcre:"/(?P<v>[0-9a-z]{2})(?P<a>(?!(?P=v))[0-9a-z]{2})[0-9a-z]{2}(?P<space>[0-9a-z]{2})[0-9a-z]{10,20}(?P=space)[0-9a-z]{2}(?P=space)(?P<w>[0-9a-z]{2})(?P<i>[0-9a-z]{2})(?P<n>[0-9a-z]{2})[0-9a-z]{4}(?P=w)[0-9a-z]{10}(?P=i)(?P=n)[0-9a-z]{28}(?P=i)[0-9a-z]{2}(?P=n)[0-9a-z]{6}(?P=a)(?P=v)(?P=a)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017295; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack Jar Download"; flow:established,from_server; content:"filename=j"; http_header; content:".jar"; distance:23; within:4; http_header; pcre:"/filename=j[a-f0-9]{23}\.jar/H"; classtype:trojan-activity; sid:2017296; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CritX/SafePack/FlashPack EXE Download"; flow:established,from_server; content:"filename=e"; http_header; content:".exe"; distance:23; within:4; http_header; pcre:"/filename=e[a-f0-9]{23}\.exe/H"; classtype:trojan-activity; sid:2017297; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Firefox CVE-2013-1690"; flow:established,from_server; file_data; content:"window.stop("; fast_pattern:only; nocase; content:"ownerDocument.write("; nocase; content:"addEventListener("; nocase; content:"readystatechange"; distance:0; nocase; content:"Array"; nocase; reference:cve,2013-1690; classtype:attempted-user; sid:2017298; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS X20 EK Download Aug 07 2013"; flow:established,from_server; content:"filename=app.jar\|0d 0a\|"; http_header; fast_pattern:only; file_data; content:"PK"; within:2; content:"\|CA FE BA BE\|"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017299; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin -TDS - POST w/Java Version"; flow:established,to_server; content:"POST"; http_method; content:"&v="; http_client_body; depth:3; pcre:"/^&v=(null\|(\d+\.)+?\d+)\x3b\d+\x3b\x3b\d{3,5}x\d{3,5}\x3b/P"; classtype:trojan-activity; sid:2017300; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application page landing"; flow:established,from_server; content:"Unable to find \|22\|"; content:"\|20\|Please Click Here to install......"; distance:0; within:85; classtype:trojan-activity; sid:2017301; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Trojan Dropper purporting to be missing application - findloader"; flow:established,to_server; content:"/findloader"; http_uri; pcre:"/findloader[^\x2f\.\?]?\.php\?[a-z]=[^&]+$/U"; classtype:trojan-activity; sid:2017302; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ATTACKER IRCBot - PRIVMSG Response - Directory Listing nix"; flow:established,from_client; content:"PRIVMSG "; fast_pattern; content:"-rw-r--r--"; within:300; classtype:trojan-activity; sid:2017303; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET TROJAN Win32/Cridex Checkin"; flow:to_server,established; content:"POST"; http_method; pcre:"/^\/([a-z0-9+]+?\/){3}$/Ui"; content:"Accept\|3a\| /\|0d 0a\|Host\|3a\| "; depth:19; http_header; pcre:"/^Accept\x3a \\/\\r\nHost\x3a \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x3a8080\r\nContent-Length\x3a \d{3}\r\nConnection\x3a Keep-Alive\r\nCache-Control\x3a no-cache\r\n\r\n$/H"; content:!"Referer"; http_header; content:!"User-Agent\|3a\| "; http_header; reference:md5,94e496decf90c4ba2fb3e7113a081726; classtype:trojan-activity; sid:2017305; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017306; rev:4;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 0f2490 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"</script>"; content:"#/0f2490#"; fast_pattern; distance:0; classtype:trojan-activity; sid:2017307; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/PornoAsset.Ransomware CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Content-Disposition\|3A\| form-data\|3B\| name=\|22\|cmd\|22\|"; http_client_body; content:"Content-Disposition\|3A\| form-data\|3B\| name=\|22\|botid\|22\|"; http_client_body; fast_pattern:24,20; content:"Content-Disposition\|3A\| form-data\|3B\| name=\|22\|lid\|22\|"; http_client_body; reference:url,anubis.iseclab.org/?action=result&task_id=19e3b6cbfdf8d6bd429ecc75ed016fb91; reference:url,blog.avast.com/2013/11/21/ransomware-annoys-its-victims-by-displaying-child-pornography-pictures/#more-20393; reference:url,blog.avast.com/2013/10/24/what-to-do-if-your-computer-is-attacked-by-ransomware/; classtype:trojan-activity; sid:2017308; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FortDisco Reporting Status"; flow:established,to_server; content:"POST"; http_method; content:"/cmd.php"; http_uri; fast_pattern:only; content:"\|3b\| Synapse"; http_header; content:"status="; http_client_body; depth:7; pcre:"/^status=\d$/P"; content:"/cmd.php HTTP/1.0\|0d 0a\|Host\|3a\|"; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017309; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible FortDisco Wordpress Brute-force Site list download 10+ wp-login.php"; flow:established,to_client; file_data; content:"/wp-login.php\|0d 0a\|"; nocase; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; content:"/wp-login.php\|0d 0a\|"; nocase; distance:0; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; reference:md5,722a1809bd4fd75743083f3577e1e6a4; classtype:trojan-activity; sid:2017310; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible FortDisco Reporting Hacked Accounts"; flow:established,to_server; content:"POST"; http_method; content:"/bruteres.php"; http_uri; fast_pattern:only; reference:url,www.arbornetworks.com/asert/2013/08/fort-disco-bruteforce-campaign/; classtype:trojan-activity; sid:2017311; rev:3;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppidn.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|ppidn\|03\|net\|00 00 10\|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2017312; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; pcre:"/&z\d{1,3}=/Pi"; content:"POST"; nocase; http_method; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PRISM Backdoor"; content:"PRISM v"; pcre:"/^\d+?\.\d+?\sstarted/R"; nocase; classtype:trojan-activity; sid:2017314; rev:2;) + +# +alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Unknown Covert Channel (VERSONEX and Mr.Black)"; content:"VERSONEX\|3a\|"; depth:64; fast_pattern; content:"Mr.Black"; within:50; classtype:trojan-activity; sid:2017315; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE python shell spawn attempt"; flow:established,to_client; content:"pty\|2e\|spawn\|2822\|/bin/sh\|2229\|"; depth:64; classtype:trojan-activity; sid:2017317; rev:2;) + +# +alert tcp any any -> any any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - PRIVMSG .(exe\|tar\|tgz\|zip) download command"; flow:established,to_client; content:"PRIVMSG"; pcre:"/^[^\r\n]+\.(?:t(?:ar\|gz)\|exe\|zip)/Ri"; classtype:bad-unknown; sid:2017318; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and 3 Letter Country Code"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n][\[\\|\{][A-Z]{3}[\]\\|\}]/R"; classtype:bad-unknown; sid:2017319; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Possible Windows XP/7"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n](?:W(?:in(?:dows)?)?[^a-z0-9]?(XP\|[7-8])\|Vista)/Ri"; classtype:bad-unknown; sid:2017321; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and Win"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]win/Ri"; classtype:bad-unknown; sid:2017322; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS IRC - NICK and -PC"; flow:established,to_server; content:"NICK "; depth:5; pcre:"/^[^\r\n]-PC/Ri"; classtype:bad-unknown; sid:2017323; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit obfuscated hex-encoded jnlp_embedded Aug 08 2013"; flow:established,from_server; file_data; content:"fromCh"; pcre:"/(?P<m>[0-9a-f]{2})(?P<sep>[^0-9a-f])(?P<e>(?!(?P=m))[0-9a-f]{2})(?P=sep)([0-9a-f]{2}(?P=sep)){7}(?P=e)(?P=sep)(?P=m)(?P=sep)[0-9a-f]{2}(?P=sep)(?P=e)(?P=sep)(?P<d>(?!(?P=e))[0-9a-f]{2})(?P=sep)(?P=d)(?P=sep)(?P=e)(?P=sep)(?P=d)/R"; content:"<applet"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017324; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Yayih.A Checkin 2"; flow:to_server,established; content:"POST"; depth:5; content:"/bbs/search.asp"; offset:5; depth:15; fast_pattern; content:"Mozilla/4.0 (compatible\|3b\| MSIE 5.0\|3b\| Windows NT 5.0)\|0d 0a\|"; distance:0; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:2017325; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Yayih.A Checkin 3"; flow:to_server,established; content:"GET "; depth:4; content:"/search.asp?newsid="; offset:4; fast_pattern; content:"Mozilla/4.0 (compatible\|3b\| MSIE 5.0\|3b\| Windows NT 5.0)\|0d 0a\|"; distance:0; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:trojan-activity; sid:2017326; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Joomla Upload File Filter Bypass"; flow:established,to_server; content:"option=com_media"; http_uri; nocase; fast_pattern:only; content:"Filedata[]"; http_client_body; nocase; pcre:"/filename[\r\n\s]?=[\r\n\s]?[\x22\x27]?[^\r\n\x22\x27\x3b]+?\.[\r\n\x3b\x22\x27]/Pi"; classtype:attempted-user; sid:2017327; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK setSecurityManager hex August 14 2013"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"73657453656375726974794d616e6167657228"; nocase; reference:url,piratebrowser.com; classtype:trojan-activity; sid:2017328; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pirate Browser Download"; flow:established,to_server; content:"/PirateBrowser"; http_uri; content:".exe"; http_uri; reference:url,piratebrowser.com; classtype:policy-violation; sid:2017329; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQLi - SELECT and sysobject"; flow:established,to_server; content:"SELECT"; nocase; content:"sysobjects"; distance:0; nocase; classtype:attempted-admin; sid:2017330; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx EK - /jvvn.html"; flow:established,to_server; content:"/jvvn.html"; http_uri; classtype:trojan-activity; sid:2017333; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Reassigned Eval Function 1"; flow:established,from_server; file_data; content:"=(eval)\|3b\|"; classtype:bad-unknown; sid:2017334; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Reassigned Eval Function 2"; flow:established,from_server; file_data; content:"=[\|22\|eval\|22\|]\|3b\|"; classtype:bad-unknown; sid:2017335; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO SUSPICIOUS Reassigned Eval Function 3"; flow:established,from_server; file_data; content:"=[\|27\|eval\|27\|]\|3b\|"; classtype:bad-unknown; sid:2017336; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER SQLi - SELECT and Schema Columns"; flow:established,to_server; content:"SELECT"; nocase; content:"information_schema.columns"; distance:0; nocase; classtype:attempted-user; sid:2017337; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Shrift.php Microsoft OpenType Font Exploit Request"; flow:established,to_server; content:"/ngen/shrift.php"; http_uri; reference:cve,2011-3402; classtype:trojan-activity; sid:2017340; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Microsoft OpenType Font Exploit"; flow:established,to_client; content:"Content-Description\|3A\| File Transfer"; http_header; content:"Content-Disposition\|3A\| attachment\|3B\| filename=font.eot"; http_header; fast_pattern:33,17; reference:cve,2011-3402; classtype:trojan-activity; sid:2017341; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Spy.KeyLogger.OCI CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"pcname="; http_client_body; depth:7; content:"&note="; http_client_body; distance:0; content:"&country="; http_client_body; distance:0; content:"&user="; http_client_body; distance:0; content:"&log="; http_client_body; distance:0; reference:url,www.virusradar.com/en/Win32_Spy.KeyLogger.OCI/description; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis/; classtype:trojan-activity; sid:2017343; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxychecker Lookup"; flow:established,to_server; content:"/proxy/proxychecker/"; http_uri; nocase; fast_pattern:only; reference:url,www.virustotal.com/en/file/ec19e12e5dafc7aafaa0f582cd714ee5aa3615b89fe2f36f7851d96ec55e3344/analysis; classtype:trojan-activity; sid:2017344; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Possible UTF-16 u9090 NOP SLED"; file_data; flow:established,to_client; content:"\|5c\|u9090\|5c\|"; nocase; pcre:"/^[a-f0-9]{4}/Ri"; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; reference:url,www.windowsecurity.com/articles/Obfuscated-Shellcode-Part1.html; classtype:shellcode-detect; sid:2017345; rev:3;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Iframe For IP Address Site"; flow:established,to_client; file_data; content:"iframe src=\|22\|http\|3A\|//"; nocase; distance:0; pcre:"/^\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}[^\r\n]\x3C\x2Fiframe\x3E/Ri"; classtype:bad-unknown; sid:2017342; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cool obfuscated plugindetect in charcodes w/o sep Jul 10 2013"; flow:established,from_server; file_data; content:"<div>"; content:!"<"; within:1000; pcre:"/^([0-9a-z]{8})?(?P<p>[0-9a-z]{2})(?P<d>(?!(?P=p))[0-9a-z]{2})(?P=p)(?P=d)([0-9a-z]{2}){10}(?P<q>[0-9a-z]{2})[0-9a-z]{2}(?P<dot>[0-9a-z]{2})[0-9a-z]{2}(?P=dot)[0-9a-z]{2}(?P=q)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017346; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.admin@388 Keepalive to CnC"; flow:established,to_server; content:"\|b0 f6 8f d3 1c 2b 0e 50 7e 16 85 de 0c ae 6e 67\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017350; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.th3bug Keepalive to CnC"; flow:established,to_server; content:"\|35 d1 50 14 94 b2 24 ac 9b 00 2e f1 99 a0 82 4d\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017351; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.keaidestone Keepalive to CnC"; flow:established,to_server; content:"\|82 ca 6f eb 66 ed 9e 86 dc 95 29 f0 68 a2 5d b8\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017352; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.suzuki Keepalive to CnC"; flow:established,to_server; content:"\|d4 77 eb ff b6 94 cc d1 25 b6 30 12 23 d7 2e 24\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017353; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.happyyongzi Keepalive to CnC"; flow:established,to_server; content:"\|ad 4a 6c bb a7 9c 30 3e 44 bc cf a5 db 77 3c 62\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017354; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.key@123 Keepalive to CnC"; flow:established,to_server; content:"\|ef 80 7b ec 93 e6 92 06 17 12 27 be e3 e2 e1 19\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017355; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.gwx@123 Keepalive to CnC"; flow:established,to_server; content:"\|6c 6e d3 08 a6 26 34 c7 bf c6 d3 d9 df 04 25 97\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017356; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.wwwst@Admin Keepalive to CnC"; flow:established,to_server; content:"\|b4 7d 56 44 f3 23 e2 a2 1d 74 18 b6 bc 72 66 2a\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017357; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.xiaoxiaohuli Keepalive to CnC"; flow:established,to_server; content:"\|4e c3 69 55 10 ad 3f 34 31 cc d1 73 30 ae 16 64\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017358; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.smallfish Keepalive to CnC"; flow:established,to_server; content:"\|19 07 1b 24 3b 7a 9d e7 77 1e 84 f6 0f 60 3e 27\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017359; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.XGstone Keepalive to CnC"; flow:established,to_server; content:"\|ed d2 c6 f2 b9 ca 1e df 5c ba b7 0c 59 8e 9c 49\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017360; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.fishplay Keepalive to CnC"; flow:established,to_server; content:"\|77 1b 13 19 a2 d1 8d a1 b5 05 8f fa 3f aa c0 8a\|"; offset:16; depth:16; dsize:48; reference:url,www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf; classtype:trojan-activity; sid:2017361; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Napolar.A Getting URL"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent\|3a 20\|Mozilla/5.0 (Windows NT 6.1\|3b\| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36\|0d 0a\|Host"; fast_pattern:94,26; depth:126; http_header; content:!"Referer\|3a 20\|"; http_header; content:!"Accept\|3a 20\|"; http_header; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017362; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO InetSim Response from External Source Possible SinkHole"; flow:from_server,established; content:"Server\|3a\| INetSim HTTP Server"; http_header; classtype:bad-unknown; sid:2017363; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated base64 key string"; flow:established,from_server; file_data; content:" & 15) << 4)"; fast_pattern; content:"(\|22\|"; content:!"\|22\|"; within:65; content:"\|22\|"; distance:65; within:1; content:!"0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; distance:-66; within:62; content:!"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"; distance:-66; within:62; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; distance:-66; within:62; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017364; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SUSPICIOUS UA (iexplore)"; flow:established,to_server; content:"User-Agent\|3A 20\|iexplore"; http_header; nocase; fast_pattern:only; content:!"Host\|3a 20\|su.pctools.com\|0d 0a\|"; nocase; http_header; content:!".advent.com\|0d 0a\|"; nocase; http_header; reference:md5,b0e8ce16c42dee20d2c1dfb1b87b3afc; classtype:bad-unknown; sid:2017365; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632"; flow:to_server; content:"POST"; http_method; content:"/adminapi/administrator.cfc?"; http_uri; nocase; content:"method"; http_uri; nocase; content:"login"; http_uri; nocase; content:"rdsPasswordAllowed"; nocase; http_client_body; fast_pattern:only; pcre:"/rdsPasswordAllowed[\r\n\s]?=[\r\n\s]?(true\|1)/Pi"; reference:url,www.exploit-db.com/exploits/27755/; reference:cve,2013-0632; classtype:attempted-user; sid:2017366; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Win32/Napolar.A URL Response"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"!http\|3a\|//"; within:8; pcre:"/^[^\r\n]+?\$$/R"; reference:md5,9a8cee88d7440f25be8404b71cb584de; reference:md5,b70f8d0afa82c222f55f7a18d2ad0b81; classtype:trojan-activity; sid:2017367; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Avatar RootKit Yahoo Group Search"; flow:to_server,established; content:"/search?query="; http_uri; depth:14; content:"&sort=relevance"; distance:8; within:15; http_uri; content:"Host\|3a 20\|groups.yahoo.com\|0d 0a\|"; http_header; content:!"Referer\|3a\|"; pcre:"/^\/search\?query=[A-Z0-9]{8}&sort=relevance$/U"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bitcoin variant Checkin"; flow:to_server,established; content:!"\|0d 0a\|Referer"; nocase; http_header; content:"/register_slave.php"; http_uri; fast_pattern:only; reference:url,blog.avast.com/2013/08/01/malicious-bitcoin-miners-target-czech-republic/; reference:md5,15cb65409f9b935cfdff72c22c358e34; classtype:trojan-activity; sid:2017369; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS AutoIT C&C Check-In 2013-08-23 URL"; flow:established,to_server; content:"GET"; http_method; content:"/panel/panel.bin"; http_uri; reference:url,malwr.com/analysis/MWM3NDA2NTdhM2U4NGE0NjgwY2IzN2Y3ZDk4ZTcyMmM/; classtype:trojan-activity; sid:2017370; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Aug 26 2013"; flow:established,from_server; file_data; content:"Australian Holiday\|22\|"; fast_pattern:only; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017372; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CookieBomb Generic JavaScript Format"; flow:from_server,established; file_data; content:"//"; fast_pattern; pcre:"/^[a-f0-9]{6}\\//R"; content:"="; pcre:"/^[\r\n\s]?\x5c?[\x22\x27]/R"; content:!"\|22\|"; within:500; content:!"\|27\|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)\|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)\|(?P=u)\|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)\|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)\|(?P=t)\|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017373; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb Generic PHP Format"; flow:from_server,established; file_data; content:"echo "; fast_pattern; content:"#/"; distance:0; pcre:"/^[a-f0-9]{6}#/R"; content:"="; pcre:"/^[\r\n\s]?\x5c?[\x22\x27]/R"; content:!"\|22\|"; within:500; content:!"\|27\|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)\|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)\|(?P=u)\|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)\|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)\|(?P=t)\|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017374; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb Generic HTML Format"; flow:from_server,established; file_data; content:"<!--/"; fast_pattern; pcre:"/^[a-f0-9]{6}\-\-\>/R"; content:"="; pcre:"/^[\r\n\s]?\x5c?[\x22\x27]/R"; content:!"\|22\|"; within:500; content:!"\|27\|"; within:500; pcre:"/^([a-f0-9]{2}[^\x22\x27a-f0-9]{0,10})?(?P<f>[a-f0-9]{2})(?P<sep>[^\x22\x27a-f0-9]{0,10})(?P<u>(?!(?P=f))[a-f0-9]{2})(?P=sep)(?P<n>(?!(?:(?P=f)\|(?P=u)))[a-f0-9]{2})(?P=sep)(?P<c>(?!(?:(?P=f)\|(?P=u)\|(?P=n)))[a-f0-9]{2})(?P=sep)(?P<t>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)))[a-f0-9]{2})(?P=sep)(?P<i>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)\|(?P=t)))[a-f0-9]{2})(?P=sep)(?P<o>(?!(?:(?P=f)\|(?P=u)\|(?P=n)\|(?P=c)\|(?P=t)\|(?P=i)))[a-f0-9]{2})(?P=sep)(?P=n)(?P=sep)(?P<spc>[a-f0-9]{2})(?P=sep)([a-f0-9]{2}(?P=sep)){1,100}(?P=spc)/Ri"; classtype:trojan-activity; sid:2017375; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible BHEK Landing URI Format"; flow:to_server,established; urilen:>41; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{32}\/[a-z]+?\-[a-z]+?\.php/U"; classtype:trojan-activity; sid:2017376; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win64/Vabushky.A Malicious driver download"; flow:established,to_server; content:".bmp.gz"; http_uri; fast_pattern:only; pcre:"/\/[a-z]{2,3}\/(?:\d{3,4}x\d{3,4}\|default)\.bmp\.gz$/Ui"; reference:url,welivesecurity.com/2013/08/27/the-powerloader-64-bit-update-based-on-leaked-exploits/; classtype:trojan-activity; sid:2017377; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool get command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgwKH08DHh4bVURA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017378; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool long command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgcABQhLAh4fH1FA"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017379; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool smart command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhgCCh0fSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017380; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool post1 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtaSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017381; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool post2 command received key=okokokjjk"; flow:established,from_server; file_data; content:"QhsAGBtZSgIfGxtV"; within:16; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017382; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgkWHwpL"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017383; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Drive DDoS Tool byte command received key=okokokjjk"; flow:established,from_server; file_data; content:"QgIMBh9L"; within:8; pcre:"/^[A-Za-z0-9\/\+]+={0,2}$/R"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; classtype:trojan-activity; sid:2017384; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr Checkin 1"; flow:established,to_server; content:"POST "; depth:5; content:"/is-ready HTTP/1."; within:17; nocase; reference:md5,d2e799904582f03281060689f5447585; classtype:trojan-activity; sid:2017516; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr Checkin 2"; flow:established,to_server; content:"POST "; depth:5; content:"/is-sending"; fast_pattern; within:12; nocase; content:".exe HTTP/1."; distance:0; reference:md5,d2e799904582f03281060689f5447585; classtype:trojan-activity; sid:2017517; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Dirtjump Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"req="; depth:4; http_client_body; pcre:"/^req=[A-Za-z0-9]{15}([A-Za-z0-9]{19})?$/P"; reference:url,www.arbornetworks.com/asert/2013/08/dirtjumper-drive-shifts-into-a-new-gear/; reference:md5,50a538221e015d77cf4794ae78978ce2; classtype:trojan-activity; sid:2017385; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible APT-12 Related C2"; flow:to_server,established; content:"/url.asp?"; http_uri; content:"-ShowNewsID-"; http_uri; fast_pattern; distance:0; pcre:"/=[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,community.rapid7.com/community/infosec/blog/2013/08/26/upcoming-g20-summit-fuels-espionage-operations; classtype:trojan-activity; sid:2017386; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC ([country\|so version\|CPU])"; flow:established,to_server; content:"NICK {"; content:"x86"; within:12; content:"}"; distance:0; pcre:"/NICK {[a-z]{2,3}\x2D.+?x86[a-z]}[a-z]/i"; flowbits:set,ET.IRC.BOT.CntSOCPU; classtype:trojan-activity; sid:2017395; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Aug 27 2013"; flow:established,from_server; file_data; content:"base_decode("; nocase; fast_pattern:only; content:"decodeHex("; nocase; content:"<applet"; nocase; classtype:trojan-activity; sid:2017387; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sweet Orange Payload Download Aug 28 2013"; flow:established,to_server; content:"=java.util.Random@"; http_uri; fast_pattern:only; content:" Java/1."; http_header; classtype:trojan-activity; sid:2017388; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Creds"; flow:established,to_server; content:"code="; http_client_body; depth:5; content:"&submit="; distance:0; http_client_body; classtype:trojan-activity; sid:2017389; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - Interface"; flow:established,to_client; file_data; content:"document.myform.txtpath.value"; classtype:trojan-activity; sid:2017390; rev:2;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - Auth Prompt"; flow:established,to_client; file_data; content:"<INPUT type=password name=code >"; classtype:trojan-activity; sid:2017391; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - ASPyder - File Browser - POST Structure"; flow:established,to_server; content:"POST"; http_method; nocase; content:"txtpath="; http_client_body; depth:8; content:"&cmd="; http_client_body; classtype:trojan-activity; sid:2017392; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - ASPyder -File Upload - POST Structure"; flow:established,to_server; content:"POST"; http_method; nocase; content:"?upload=@&txtpath="; http_uri; content:"Upload !"; http_client_body; classtype:trojan-activity; sid:2017393; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - ASPyder - File Upload - Response"; flow:established,to_client; file_data; content:"<title>ASPYDrvsInfo</title>"; classtype:trojan-activity; sid:2017394; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Landing Aug 29 2013"; flow:established,from_server; file_data; content:".txt?e"; nocase; fast_pattern:only; content:"value"; nocase; pcre:"/^[\r\n\s\+]?=[\r\n\s\+]?(?P<q>[\x22\x27])((?!(?P=q)).)+?\.txt\?e=\d+(&[fh]=\d+)?(?P=q)/Ri"; classtype:trojan-activity; sid:2017396; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DOS Apple CoreText Exploit Specific string"; flow:established,from_server; file_data; content:"\|D8 B3 D9 85 D9 8E D9 80 D9 8E D9 91 D9 88 D9 8F D9 88 D9 8F D8 AD D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 CC B7 CC B4 CC 90 D8 AE 20 D8 A7 D9 85 D8 A7 D8 B1 D8 AA D9 8A D8 AE 20 CC B7 CC B4 CC 90 D8 AE\|"; reference:url,techcrunch.com/2013/08/29/bug-in-apples-coretext-allows-specific-string-of-characters-to-crash-ios-6-os-x-10-8-apps/; classtype:bad-unknown; sid:2017397; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection"; flow:established,to_server; content:"Host\|3a 20\|ip4.icanhazip.com\|0d 0a\|"; http_header; classtype:attempted-recon; sid:2017398; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of base64_decode"; flow:established,from_server; file_data; content:"base64_decode"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]?\x28[\r\n\s]?base64_decode/Rsi"; classtype:trojan-activity; sid:2017399; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzinflate"; flow:established,from_server; file_data; content:"gzinflate"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]?\x28[\r\n\s]?gzinflate/Rsi"; classtype:trojan-activity; sid:2017400; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of str_rot13"; flow:established,from_server; file_data; content:"str_rot13"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]?\x28[\r\n\s]?str_rot13/Rsi"; classtype:trojan-activity; sid:2017401; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of gzuncompress"; flow:established,from_server; file_data; content:"gzuncompress"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]?\x28[\r\n\s]?gzuncompress/Rsi"; classtype:trojan-activity; sid:2017402; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic eval of convert_uudecode"; flow:established,from_server; file_data; content:"convert_uudecode"; nocase; fast_pattern:only; content:"eval"; nocase; pcre:"/^[\r\n\s]?\x28[\r\n\s]?convert_uudecode/Rsi"; classtype:trojan-activity; sid:2017403; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WORM W32/Njw0rm CnC Beacon"; flow:established,to_server; content:"lv0njxq80"; depth:9; content:"njxq80"; distance:0; reference:url,www.fireeye.com/blog/technical/malware-research/2013/08/njw0rm-brother-from-the-same-mother.html; reference:md5,4c60493b14c666c56db163203e819272; reference:md5,b0e1d20accd9a2ed29cdacb803e4a89d; classtype:trojan-activity; sid:2017404; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:"var pp100"; fast_pattern; content:"document.write("; distance:0; pcre:"/^[\r\n\s]?[\x22\x27]<(?:[\x27\x22]\s?\+\s?[\x22\x27])?a(?:[\x27\x22]\s?\+\s?[\x22\x27])?p(?:[\x27\x22]\s?\+\s?[\x22\x27])?p(?:[\x27\x22]\s?\+\s?[\x22\x27])?l(?:[\x27\x22]\s?\+\s?[\x22\x27])?e(?:[\x27\x22]\s?\+\s?[\x27\x22])?t/Ri"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017405; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK Java /victoria.jar"; flow:established,to_server; content:"/victoria.jar"; fast_pattern:only; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017406; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Landing with Applet Aug 30 2013"; flow:established,from_server; file_data; content:".getVersion"; nocase; content:"\|22\|PGFwcGxld"; fast_pattern; content:"\|22\|PGFwcGxld"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017407; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GondadEK Landing Sept 03 2013"; flow:established,from_server; file_data; content:"expires=\|22\|+expires.toGMTString()"; fast_pattern:3,20; nocase; content:"51yes.com/click.aspx?"; nocase; content:"\|22\|gb2312\|22\|"; nocase; content:"delete "; nocase; content:"eval"; nocase; pcre:"/^[^A-Za-z0-9]/R"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit; classtype:trojan-activity; sid:2017408; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 110 (msg:"ET TROJAN Gh0st_Apple Checkin"; flow:to_server,established; content:"GET "; depth:4; content:".gif?pid"; offset:4; depth:10; fast_pattern; content:"&v="; distance:0; content:"HTTP/1.1\|0d 0a\|"; distance:0; content:"User-Agent\|3a\| Mozilla/4.0("; distance:0; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; reference:md5,f4d4076dff760eb92e4ae559c2dc4525; classtype:trojan-activity; sid:2017412; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN NJRat-backdoor Checkin"; flow:to_server,established; content:"\|7c 28\|"; pcre:"/^\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/R"; content:"\|29 7c\|"; within:2; pcre:"/^\d{1,5}/R"; content:"\|7c\|Win"; within:4; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017413; rev:2;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown Malware CnC response with exe file"; flow:from_server,established; byte_jump:2,1,little,post_offset -4; isdataat:!1,relative; content:"!This program cannot be run in DOS mode."; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017414; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Taidoor Checkin"; flow:to_server,established; content:".jsp?"; fast_pattern:only; http_uri; pcre:"/^\/(?:p(?:a(?:rs\|g)e\|rocess)\|(?:securit\|quer)y\|(?:defaul\|abou)t\|index\|login\|user)\.jsp\?[a-z]{2}\x3d[a-z0-9]{9}[A-F0-9]{9}$/Ui"; content:"User-Agent\|3a\| "; depth:12; http_header; content:!"Referer"; http_header; reference:url,contagiodump.blogspot.com.br/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017415; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole EK Variant PDF Download"; flow:established,from_server; content:".pdf"; fast_pattern:only; nocase; http_header; file_data; content:"%PDF-"; within:100; flowbits:isset,et.BHEK.PDF; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017416; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Keep-Alive (OUTBOUND)"; flow:to_server,established; content:"P[endof]"; dsize:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017418; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Checkin"; flow:to_server,established; content:"lv"; depth:2; content:"[endof]"; isdataat:!1,relative; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017419; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (File Manager)"; flow:from_server,established; content:"FM\|7c 27 7c 27 7c\|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017420; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (File Manager)"; flow:to_server,established; content:"rn\|7c 27 7c 27 7c\|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017421; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Remote Desktop)"; flow:from_server,established; content:"sc~\|7c 27 7c 27 7c\|"; depth:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017422; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (Remote Desktop)"; flow:to_server,established; content:"scPK\|7c 27 7c 27 7c\|"; depth:9; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017423; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Remote Cam)"; flow:from_server,established; content:"CAM\|7c 27 7c 27 7c\|"; depth:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017424; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (Remote Cam)"; flow:to_server,established; content:"USB Video Device[endof]"; depth:23; fast_pattern:3,20; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017425; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Remote Shell)"; flow:from_server,established; content:"rs\|7c 27 7c 27 7c\|"; depth:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017426; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (Process listing)"; flow:to_server,established; content:"proc\|7c 27 7c 27 7c\|"; depth:9; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017427; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Kill Process)"; flow:from_server,established; content:"k\|7c 27 7c 27 7c\|"; depth:6; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017428; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Registry)"; flow:from_server,established; content:"RG\|7c 27 7c 27 7c\|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017429; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Keylogger)"; flow:from_server,established; content:"kl\|7c 27 7c 27 7c\|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017430; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command (Get Passwords)"; flow:from_server,established; content:"ret\|7c 27 7c 27 7c\|"; depth:8; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017431; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Bladabindi/njrat CnC Command Response (Get Passwords)"; flow:to_server,established; content:"pl\|7c 27 7c 27 7c\|"; depth:7; reference:url,threatgeek.com/2013/07/njrat-detection-rules-using-yara-.html; classtype:trojan-activity; sid:2017432; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura EK Landing Sep 06 2013"; flow:established,from_server; file_data; content:"/deployJava.js"; fast_pattern:only; nocase; content:!"<applet"; nocase; content:" RegExp"; pcre:"/^[\r\n\s]?\([\r\n\s]?(?P<q>[\x22\x27])(?P<m>((?!(?P=q)).)+)(?P=q).+?<(?P=m)?a(?P=m)?p(?P=m)?p(?P=m)l(?P=m)?e(?P=m)?t/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017433; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing Sep 06 2013"; flow:established,from_server; file_data; content:"DoCake()"; fast_pattern:only; nocase; content:"applet"; nocase; content:".php?e="; content:".php?e="; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017434; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Bleeding EK Variant Landing JAR Sep 06 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_header; content:".php?e="; nocase; http_uri; pcre:"/\.php\?e=\d+(&\|$)/Ui"; classtype:trojan-activity; sid:2017435; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in URI"; flow:established,to_server; content:"_SERVER["; fast_pattern:only; http_uri; pcre:"/[&\?]_SERVER\[[^\]]+?\][^=]?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017436; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP GET SuperGlobal in URI"; flow:established,to_server; content:"_GET["; fast_pattern:only; http_uri; pcre:"/[&\?]_GET\[[^\]]+?\][^=]?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017437; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP POST SuperGlobal in URI"; flow:established,to_server; content:"_POST["; fast_pattern:only; http_uri; pcre:"/[&\?]_POST\[[^\]]+?\][^=]?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017438; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in URI"; flow:established,to_server; content:"_COOKIE["; fast_pattern:only; http_uri; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017439; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in URI"; flow:established,to_server; content:"_SESSION["; fast_pattern:only; http_uri; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017440; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in URI"; flow:established,to_server; content:"_REQUEST["; fast_pattern:only; http_uri; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017441; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP ENV SuperGlobal in URI"; flow:established,to_server; content:"_ENV["; fast_pattern:only; http_uri; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]?=/U"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017442; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP SERVER SuperGlobal in POST"; flow:established,to_server; content:"_SERVER["; fast_pattern:only; http_client_body; pcre:"/(?:[&\?\r\n]\|^)_SERVER\[[^\]]+?\][^=]?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017443; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP GET SuperGlobal in POST"; flow:established,to_server; content:"_GET["; fast_pattern:only; http_client_body; pcre:"/(?:[&\?\r\n]\|^)_GET\[[^\]]+?\][^=]?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017444; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP POST SuperGlobal in POST"; flow:established,to_server; content:"_POST["; fast_pattern:only; http_client_body; pcre:"/(?:[&\?\r\n]\|^)_POST\[[^\]]+?\][^=]?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017445; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP COOKIE SuperGlobal in POST"; flow:established,to_server; content:"_COOKIE["; fast_pattern:only; http_client_body; pcre:"/[&\?]_COOKIE\[[^\]]+?\][^=]?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017446; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP SESSION SuperGlobal in POST"; flow:established,to_server; content:"_SESSION["; fast_pattern:only; http_client_body; pcre:"/[&\?]_SESSION\[[^\]]+?\][^=]?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017447; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP REQUEST SuperGlobal in POST"; flow:established,to_server; content:"_REQUEST["; fast_pattern:only; http_client_body; pcre:"/[&\?]_REQUEST\[[^\]]+?\][^=]?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017448; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP ENV SuperGlobal in POST"; flow:established,to_server; content:"_ENV["; fast_pattern:only; http_client_body; pcre:"/[&\?]_ENV\[[^\]]+?\][^=]?=/P"; reference:url,imperva.com/download.asp?id=421; classtype:bad-unknown; sid:2017449; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Sep 10 2013"; flow:established,from_server; file_data; content:".getVersion("; nocase; content:!"PluginDetect"; nocase; distance:-24; within:12; pcre:"/^[\r\n\s]?(?P<q>[\x22\x27])Java(?P=q)/Ri"; content:!"<applet"; nocase; content:"var"; pcre:"/^[^=]+?=[^\x22\x27\x3b]?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?<[^\x22\x27]?a[^\x22\x27]?p[^\x22\x27]?p[^\x22\x27]?l[^\x22\x27]?e[^\x22\x27]?t[^\x22\x27](?:(?!(?P=q)).)+?<[^\x22\x27]?p[^\x22\x27]?a[^\x22\x27]?r[^\x22\x27]?a[^\x22\x27]?m/Rs"; classtype:trojan-activity; sid:2017450; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing Page"; flow:established,from_server; file_data; content:"\|22\|0x\|22 3b\|"; content:"="; distance:0; pcre:"/^[\r\n\s]?[\x22\x27][a-f0-9]{2}(?P<sep>[^a-f0-9]{1,10})(?P<a>[a-f0-9]{2})(?P=sep)(?P<p>[a-f0-9]{2})(?P=sep)(?P=p)(?P=sep)(?P<l>[a-f0-9]{2})(?P=sep)(?P<e>[a-f0-9]{2})[^\x22\x27]+?(?P=sep)(?P=p)(?P=sep)(?P=a)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=a)(?P=sep)[^\x22\x27]+?(?P=sep)(?P=a)(?P=sep)(?P=l)(?P=sep)[a-f0-9]{2}(?P=sep)(?P=e)/Rsi"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017451; rev:5;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole hex and wordlist initial landing and exploit path"; flow:established,to_server; urilen:>70; content:".php"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{5,}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\/(?:[a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2017452; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Forum Injection"; flow:established,to_server; urilen:27<>33; content:".js?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z]{7,11}\.js\?[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2017453; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole EK Payload Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&]?(?:3[0-2a-e8-9]\|7[x-y6-7\-3]\|x[b-e6-9xz]\|\-[b-hy-z9]\|w[wa-f6-9]\|5[2-9a-e]\|[47][0-2]\|8[a-ez9]\|2[d-j]\|6[c-e])){5}&[^=]+=(?:[^&]?(?:3[0-2a-e8-9]\|7[x-y6-7\-3]\|x[b-e6-9xz]\|\-[b-hy-z9]\|w[wa-f6-9]\|5[2-9a-e]\|[47][0-2]\|8[a-ez9]\|2[d-j]\|6[c-e])){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017454; rev:11;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Waledac FACEPUNCH Traffic Detected"; flow:to_server,established; content:"POST"; depth:4; http_method; content:"Referer\|3a 20\|Mozilla\|0d 0a\|"; nocase; http_header; content:"User-Agent\|3a\| Mozilla"; http_header; content:"X-Request-Kind-Code\|3a 20\|"; http_header; fast_pattern:only; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_infiltrating_the_waledac_botnet_v2.pdf; classtype:trojan-activity; sid:2017455; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole EK Variant PDF Download Sep 11 2013"; flow:established,to_server; urilen:>56; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=(?:[^&](?:5[5-9a-e]\|8[9a-e])){5}[^=]+=[^&]+&[^=]+=(?:[^&](?:5[5-9a-f]\|8[9a-e])){10}([^&]60[^&]60(?:[^&](?:5[5-9a-f]\|8[9a-e])){10})?&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017456; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 1"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\:[^\r\n]+?\.(?:c(?:o(?:l(?:leg(?:e(?:(?:confidential\|-station\|prowler)\.net\|s?explained\.com)\|iate(?:explained\|info)\.com)\|(?:o(?:rado-springs-jobs\|nexplained)\|umnexplore)\.com)\|m(?:p(?:uter(?:explained\.com\|themes\.net)\|assiondefinition\.com)\|m(?:oditylingerie\|unesinfo\|ercekid)\.com)\|n(?:ce(?:rtparis\.net\|ptsets\.com)\|trolwedding\.com)\|(?:(?:rnell\|upon)explained\|peguide)\.com\|7\.us)\|a(?:(?:(?:mpaign\|talog\|det)explained\|n(?:cersexplained\|adadaycore)\|p(?:itali[sz]eguide\|ricornhi)\|b(?:leexplained\|indynamic))\.com\|r(?:(?:tograph(?:yanalysis\|erwhat)\|cinomas?explained\|scratch-remover\|eblack)\.com\|insurance-compare\.net)\|ce\.us)\|h(?:(?:a(?:r(?:med-episodes\|les-proxy\|tpixel)\|p(?:elsinfo\|terball)\|nnelexplained)\|ristmas(?:gift-ideas\|motion)\|inesenewyearboom\|eckingwatch)\.com\|(?:orizo\|urros)\.es)\|(?:e(?:l(?:lularexplained\|iac-diet)\|ntigrade(?:explained\|info))\|(?:li(?:nical\|ck)\|ustomized)explained\|r(?:uiseshipdating\|iticsmart)\|pu-benchmark\|nc-cs)\.com\|8\.biz\|z\.cc)\|a(?:(?:ll(?:about(?:(?:(?:collegi\|gradu)at\|yal)e\|s(?:eminary\|tudent)\|(?:facul\|varsi)ty\|bestsellers\|academic\|teaching\|harvard\|ucla\|pro)\|babyours)\|n(?:(?:tipodesbi\|alyzelan)d\|onymous-film)\|(?:mericas-nexttopmode\|gentsbal)l\|r(?:chitectureice\|lingtonwriter)\|c(?:ademicexplaine\|tionmo)d\|ero(?:flotinfo\|bicfund))\.com\|u(?:(?:toma(?:tedexplained\|kers24)\|stralia-airlines\|xiliaryverb)\.com\|di(?:t(?:jewellery\.com\|report\.net)\|o-planet\.com))\|p(?:(?:rilfools(?:hotel\|spin)\|ple-airport)\.com\|[fh]i\.biz)\|ir(?:(?:bnb-coupon\|waysinfo)\.com\|portshuttleseattle\.net)\|v(?:enue(?:domain\|hello)\.com\|li\.biz)\|\.e\.gy)\|b(?:(?:a(?:c(?:helorexplained\|kpackscope)\|by(?:online-shop\|revision)\|(?:rcelonarea\|ggagecoo)l\|s(?:icexplained\|escope)\|ttle-field-3)\|e(?:(?:st-hoteldeal\|er-calorie\|t-award)s\|nefitexplained)\|u(?:y-invite\|dgetyep)\|logger-com)\.com\|r(?:(?:o(?:adbandinternet-providers\|king(?:explained\|guide))\|unomarsalbum\|yan-college)\.com\|ea(?:st(?:cancertattoos\.net\|explained\.com)\|dmachine-recipes\.com))\|o(?:(?:(?:om(?:ing\|s)\|nd)explained\|tany(?:explained\|info)\|dybuildingdomains\|rrowings?24)\.com\|stoncolleges\.net)\|irthcertificatetemplate\.net\|3g\.biz)\|d(?:e(?:(?:(?:(?:benture\|posit)explaine\|alershipislan)d\|n(?:guefevertreatment\|verhowto)\|ductguide\|veloptea)\.com\|(?:xterstreaming\|ciduoustrees)\.net)\|o(?:(?:ctorate(?:s?explained\|info)\|llar-converter\|gwalking-jobs\|texplained\|mainsknow)\.com\|wnload(?:starcraft\|-films\|ubuntu)\.net)\|(?:a(?:ncecentralsonglist\|rtmouthexplained)\|na-replication\|hcp-server\|vd-codec\|rivewww)\.com\|i(?:(?:s(?:count\|ease)explained\|nnerparty-recipes\|walifile)\.com\|rect-golf\.net))\|e(?:(?:a(?:r(?:fulexplained\|th-clinic)\|sy(?:-costumes\|repayment))\|conomic(?:save\|24))\.com\|\.gy)\|4(?:(?:4qs\|h5)\.com\|[jp]\.org\|ql\.biz)\|3(?:vt\.info\|gb\.biz\|q\.org)\|2(?:eat\.com\|sf\.biz\|u\.se)\|8(?:c1\.net\|x\.biz)\|7(?:c\.org\|p\.biz)\|11r\.(?:biz\|us))(\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2017457; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 2"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\:[^\r\n]+?\.(?:f(?:(?:a(?:c(?:ultyexplained\|e-bok)\|(?:ncy-font\|ke-nail)s\|ir(?:explained\|fuse)\|shion-wallpaper\|lterguide)\|i(?:nanc(?:i(?:al\|ng)explained\|epets)\|rm(?:explained\|s24)\|lter-coffee)\|o(?:r(?:umexplained\|ecastbooks\|ceestate)\|x-drama)\|udaninfo)\.com\|re(?:e(?:-(?:(?:(?:foodcoupon\|angrybird)s\|s(?:oundclips\|tock)\|photoeditor)\.com\|music-download\.net)\|(?:p(?:owerpointthem\|roduct-sampl)es\|dom-ofspeech)\.com\|fileconverter\.net)\|snoever\.com)\|l(?:a(?:shplayerdownload\.net\|tbelly-diet\.com)\|oridaunemploymentclaim\.com\|v-downloader\.net)\|e(?:rtility-calculator\.net\|stivalexplained\.com)\|b(?:-smileys\.com\|skins\.net))\|l(?:(?:i(?:n(?:k(?:explained\|master)\|colnsbirthdaytea)\|(?:ability\|ver)explained\|(?:berty-saf\|ftmov)e\|stings(?:biz\|red)\|teraturemulti)\|u(?:ng(?:explained\|abscess)\|ggageboom)\|o(?:cationssecure\|ndon-riots\|gback))\.com\|e(?:(?:a(?:singexplained\|ther-trousers)\|(?:edsunited-new\|d-candle)s\|cturer(?:explained\|info)\|nd(?:ing\|er)explained\|isure-diving)\.com\|u(?:kemiaexplained\.com\|e\.biz)\|tup\.org)\|a(?:guay\.(?:com\|es)\|-gazzetta\.com)\|6\.org)\|i(?:n(?:s(?:(?:ur(?:er(?:s(?:explained\|24)\|explained)\|ancesexplained)\|ide-film)\.com\|(?:pection-camera\|taflex)\.net)\|d(?:e(?:pendenceday(?:portal\|realty)\|mnityexplained)\.com\|ividual-healthinsurance\.net)\|t(?:er(?:estexplained\.com\|trigo\.net)\|ranet(?:explained\|pm)\.com)\|(?:(?:vestment\|centive)explained\|expensivehyper)\.com\|f(?:ections?explained\.com\|o\.se))\|(?:(?:mmersio\|sd)nexplained\|ronmancom\|pone-5)\.com\|i(?:nkai\|lg)\.biz)\|m(?:(?:e(?:tropolis(?:(?:cruis\|fac\|mov)e\|pixel)\|(?:lanoma\|dical)explained\|r(?:idiantotal\|cedes-cls)\|ntal-healthjobs\|morialdaycon\|ssenger-mac\|ansgift)\|i(?:ami(?:-holidays\|what)\|di-editor)\|baexplained)\.com\|a(?:r(?:(?:tial-empires\|ket-hq)\.com\|iogames-online\.net)\|n(?:(?:agejoin\|ualzap)\.com\|ipal-university\.net)\|(?:lignanthypertension\|gazinedownload)\.net\|s(?:on(?:wave\|car)\|tersexplained)\.com\|c2\.org))\|e(?:(?:s(?:ta(?:tes(?:mob\|fx)\|blishstyle)\|lexplained)\|mploy(?:e(?:eexplained\|r24)\|mentexplained))\.com\|n(?:(?:(?:gagement-photo\|able-cookie)s\|rollexplained)\.com\|trepreneur-ideas\.net)\|x(?:(?:(?:hibition\|po)explained\|ecutive-decision)\.com\|tremedeal\.net)\|l(?:ect(?:ronicexplained\|orate123)\.com\|guay\.(?:com\|es))\|q(?:uityexplained\.com\|8\.biz))\|g(?:(?:o(?:a(?:d(?:minister\|vertize\|just)\|cademic\|llocate)\|(?:thic-literatur\|handl)e\|(?:bailou\|conduc)t\|govern)\|r(?:a(?:duate(?:explained\|sinfo)\|ndparentsdayplan)\|oceryexplained\|4)\|ym(?:glas\|car)s\|m[69])\.com\|a(?:(?:(?:llaudet\|te)explained\|mevelocity\|rnerguide)\.com\|511\.net)\|cwsa\.org)\|h(?:o(?:(?:me(?:made-biscuits\|pageexplained)\|(?:nours\|tline\|using)explained\|6)\.com\|stel-barcelona\.net)\|a(?:r(?:dback(?:city\|yoga)\|vardexplained)\|n(?:dlechange\|ukkahbio)\|lloweenorange)\.com\|y(?:perthyroidsymptoms\.net\|d\.me)\|ellokittypictures\.net)\|j(?:(?:o(?:urnalism(?:explained\|info)\|hn-grisham\|ker-tattoo)\|query-examples)\.com\|a(?:cksonvillepath\.com\|vacollection\.net)\|(?:vvg\|6)\.org)\|k(?:ilometersreach\|udosexplained\|jyg)\.com)(\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2017458; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 3"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\:[^\r\n]+?\.(?:p(?:r(?:o(?:pert(?:ies(?:-forsale\.net\|winters\.com)\|y-(?:singapore\|rental)\.net)\|(?:fessors\|state)explained\.com)\|e(?:miums(?:e(?:xplained\|ek)\|guide)\|(?:acher\|cinct\|late)sinfo\|pexplained)\.com\|i(?:va(?:te(?:car-sales\|explained)\.com\|do\.info)\|nceton\.me))\|e(?:(?:n(?:sionexplained\|thousepal\|cetruck)\|diatricsexplained)\.com\|rsonal(?:trainer-certification\.net\|-injuryclaims\.com)\|tardo\.es)\|o(?:(?:wer(?:borrowings?\|repayment\|debts)\|rt(?:land-holidays\|alexplained)\|intexplained\|litical24)\.com\|kertexas-holdem\.net)\|a(?:(?:ss(?:engersinfo\|agepix)\|ge(?:explained\|as)\|cemaker-surgery\|ttinson-robert\|rk-edu)\.com\|loaltocollege\.net)\|(?:u(?:blicationgift\|pils?info)\|ickups(?:articles\|gen)\|neumoniaexplained\|sychologyquotes\|lus-sign)\.com\|h(?:o(?:toedit(?:orfreedownload\.net\|ingsite\.com)\|neexplained\.com)\|pbb-themes\.com\|yscology\.net)\|cbp\.net\|9\.org)\|o(?:n(?:line(?:(?:(?:f(?:o(?:ster\|rce)\|irstborn\|raternal\|ulltime)\|b(?:r(?:idegroom\|owse)\|oxoffice)\|e(?:(?:valuat\|xpress)e\|fficient)\|-(?:collegecourse\|radiostation)\|d(?:escendant\|aughter\|iscusse)\|v(?:illage\|acant)\|re(?:sidence\|al))s\|c(?:(?:r(?:iti(?:c(?:ize\|al)\|que)\|ew)\|o(?:nsider\|usin)\|a(?:pture\|meo)\|elluloid)s\|ha(?:racters\|teau))\|a(?:(?:(?:vailabl\|doptiv\|llianc\|pprais)e\|ss(?:esse\|ay)\|unt)s\|n(?:(?:cestor\|alyze)s\|imated)\|way)\|per(?:sonal-trainer\|manents))\.com\|mediaconverter\.net)\|e-lyrics\.com\|amia\.biz)\|(?:ver(?:seasexplained\|drawnreal)\|(?:wnership\|ffline)explained\|cean(?:ic-cable\|you)\|rphanagesinfo\|klahomafuse)\.com\|a(?:klandour\.com\|pg\.org))\|r(?:e(?:(?:s(?:idenc(?:e(?:attorney\|dating\|cook\|food)\|yexplained)\|erves(?:development\|core))\|(?:c(?:o(?:ver(?:ing\|ed)\|up)\|laim)guid\|laxationhyp\|bateventur)e\|g(?:i(?:on(?:private\|mentor)\|stercommunity)\|ainguide)\|t(?:r(?:ainingexplained\|ieveguide)\|ailexplained)\|motecontrol-helicopter\|viewwinters\|payment24)\.com\|alestate-perth\.net)\|(?:a(?:cetracksinfo\|veexplained\|iserepair\|tetask)\|ising-antivirus\|bnnetwork)\.com\|o(?:(?:o(?:m(?:sfootball\|mateco)\|fcute)\|admodern)\.com\|yallondonhospital\.net))\|s(?:(?:o(?:(?:lventsourc\|ftenguid)e\|urceexplained\|cietiesinfo\|ng-india)\|a(?:n(?:antoniosource\|diegodiscover)\|l(?:aryexplaine\|euploa)d)\|ta(?:nford(?:explained\|info)\|(?:bilis\|v)eguide\|r-treck)\|p(?:ecialtyexplained\|iralwatch\|orts-tab)\|ch(?:oolexplained\|eduleedu)\|ites?explained)\.com\|e(?:(?:minar(?:y(?:explained\|info)\|explained)\|c(?:(?:urities\|tor)explained\|what)\|aworld-coupons)\.com\|rvertransfer\.net)\|m(?:ier\.org\|oz\.us)\|hellgascard\.net\|gba\.biz)\|m(?:o(?:(?:t(?:oristsinfo\|iveshare)\|ntre-breitling\|dernexplained\|squesinfo)\.com\|hamed\.me)\|(?:y(?:borrowings\|-husband)\|ultimediaexplained\|inistriesinfo)\.com\|mcd\.us)\|n(?:(?:a(?:ming(?:mac\|our)\|uticalfit\|vigateadd)\|e(?:tworkexplained\|w-college))\.com\|8\.biz))(\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2017459; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SUSPICIOUS Java request to UNI.ME Domain Set 4"; flow:to_server,established; content:" Java/1."; http_header; pcre:"/^Host\:[^\r\n]+?\.(?:t(?:e(?:(?:l(?:e(?:phoneexplained\|comsguide)\|learth)\|n(?:ured(?:explained\|info)\|nis-ranking))\.com\|mp(?:l(?:ates-gratis\.com\|ecollege\.net)\|converter\.net)\|a(?:ching(?:-certificate\.net\|explained\.com)\|m\.pro))\|r(?:a(?:(?:(?:nsferbyt\|de-)e\|in(?:eesinf\|ge)o\|mray)\.com\|vel(?:insurance-comparison\.net\|agentnerd\.com))\|e(?:k-bicycles\|nd-online)\.net\|uckstool\.com\|onco\.es)\|(?:o(?:wn(?:housepic\|study\|euro\|meta)\|(?:tal-tool\|memap)s\|pgamebook\|olboxsol)\|u(?:mors?explained\|lsatrain\|rn-ons)\|attoo-websites\|ype-racer\|wainfo)\.com\|h(?:(?:anksgivinggaming\|riftexplained)\.com\|e(?:sis-examples\.com\|atreparis\.net))\|i(?:mezonevendor\.com\|dl\.net)\|cmn\.biz)\|w(?:e(?:b(?:(?:b(?:estseller\|ailout)\|administer)\.com\|site(?:downloader\.net\|explained\.com)\|developertoolbar\.net)\|(?:l(?:lesley\|fare)explained\|akenguide)\.com)\|or(?:th(?:voice\|war)\.com\|ld-records\.net)\|ater(?:front-property\.net\|-plants\.com)\|(?:riterpics\|hoiscan)\.com\|pbh\.org\|sse\.us)\|s(?:(?:t(?:ud(?:ent(?:financecontact\|s?explained)\|yexplained)\|r(?:eetmaphub\|ongat)\|patricksweightloss\|onewhat)\|wissairinfo)\.com\|u(?:(?:mmertimelyrics\|nset-wallpaper\|per-committee\|itegraphic)\.com\|b\.(?:name\|cat\|es)))\|v(?:(?:i(?:llage(?:(?:in\|na)no\|crystal)\|deo(?:-mediaset\|explained)\|ta(?:minssms\|lwow)\|rtualexplained)\|o(?:lumesynergy\|ucheragent\|ters24)\|a(?:rsityexplained\|lentinesproxy)\|entureexplained)\.com\|qtel\.net\|f1\.us)\|u(?:n(?:i(?:versityexplained\.com\|nstalltool\.net\|\.me)\|(?:(?:secured\|am)explained\|ravelguide)\.com\|limited-web-hosting\.net)\|(?:cla(?:explained\|info)\|s-inflation\|alinfo\|zdom)\.com\|[04]\.org)\|y(?:(?:o(?:u(?:ngstersinfo\|rbroking)\|mkippursocial)\|(?:eshiva\|ale)explained\|vxs)\.com\|nna\.biz)\|zwr\.org)(\x3a\d{1,5})?\r?$/Hmi"; classtype:bad-unknown; sid:2017460; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated base64 decoder Sep 12 2013"; flow:established,from_server; file_data; content:" & 15) << 4)"; content:" & 3) << (3+3))"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017461; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess P2P Module v6 Reporting"; flow:to_server,established; content:"dj02LjAmaWQ9"; http_uri; offset:13; depth:12; content:!"Referer\|3a\|"; http_header; reference:url,dnsamplificationattacks.blogspot.gr/p/blog-page.html; classtype:trojan-activity; sid:2017462; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MS13-055 CAnchorElement Use-After-Free"; flow:established,from_server; file_data; content:".outer"; fast_pattern; pcre:"/^(?:Text\|HTML)[\r\n\s]?=[\r\n\s]?(?:\x22\x22\|\x27\x27)/Ri"; content:".getElementById("; nocase; content:"<span"; nocase; content:"on"; pcre:"/^(?:(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ri"; content:"<table"; nocase; pcre:"/^((?!<table>).)+?<tr[\r\n\s\>]((?!<\/tr>).)?<span[\r\n\s\>]((?!<\/span>).)?<(?:[QU]\|S(?:TR(?:IKE\|ONG)\|U[BP]\|MALL\|AMP)?\|B(?:LINK\|DO\|IG)?\|A(?:CRONYM\|BBR)\|R(?:[PT]\|UBY)\|(?:NOB\|VA)R\|C(?:IT\|OD)E\|D(?:EL\|FN)\|I(?:NS)?\|KBD\|EM\|TT)[^>]?\bid[\r\n\s]?=/Rsi"; classtype:attempted-user; sid:2017463; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Hesperus.Banker Tr-mail Variant Sending Data To CnC"; flow:established,to_server; content:"/gr-mail/tr-mail.php"; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:trojan-activity; sid:2017464; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Hesperus.Banker Nlog.php Variant Sending Data To CnC"; flow:established,to_server; content:"POST"; http_method; content:"/nlog/nlog.php"; http_uri; fast_pattern:only; pcre:"/^Content-Length\x3a [1-9]\d\d+?\r\n/Hm"; reference:url,blogs.mcafee.com/mcafee-labs/hesperus-evening-star-shines-as-latest-banker-trojan; classtype:trojan-activity; sid:2017465; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeAhnAV.A CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/srev.asp"; http_uri; content:"action="; http_client_body; depth:7; content:"&b_name="; http_client_body; distance:0; content:"&b_conter="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/android-fake-av-hosted-in-google-code-targets-south-koreans; classtype:trojan-activity; sid:2017466; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Reversed Country Code and 32 hex Jar Sep 16 2013"; flow:to_server,established; content:"Java/1."; http_header; fast_pattern:only; pcre:"/\/(?:M[ABCDFGHIJKMOPSTUZ]\|E[ABDEGIJKMNPRSVY]\|R[ABCEFGHIKLMNPST]\|G[ABCEGKMNPSTUV]\|A[BCGLMNPQSUVZ]\|O[ABCDFIJMNRST]\|S[ABEGILMPRSUW]\|T[ABEGHILMPSTY]\|N[BCGHIKMPSTV]\|I[ABCFGKLNSV]\|L[ABCGIMNPST]\|W[ABCGKMPRTZ]\|Z[ABCDKMNSTU]\|F[ABCGMNPTW]\|H[BCEGKMPST]\|K[CDFHLMPST]\|U[ACGHLMNRV]\|Y[BCGKLMPSU]\|C[CELMNSTV]\|D[ABCGIMST]\|V[BCLMST]\|J[BDFST]\|P[GJKMN]\|Q[ABGIM]\|B[BGLS]\|X[ACMS])\/[a-f0-9]{32}(\.[^\x2f]+)?$/Ui"; classtype:trojan-activity; sid:2017467; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Fake Microsoft Security Update Applet Sep 16 2013"; flow:established,from_server; file_data; content:"JTNDJTNGeG1sJTIwdmVyc2lvbiUzRCUy"; content:"/microsoft.jnlp"; fast_pattern:only; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017468; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SNET EK VBS Download"; flow:to_server,established; content:"/cod/"; fast_pattern; http_uri; content:".vbs"; http_uri; distance:0; pcre:"/\/cod\/[^\x2f]+\.vbs$/U"; classtype:trojan-activity; sid:2017469; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 1"; flow:established,from_server; file_data; content:"BDbGVhckludGVybmV0Q2FjaGUo"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017470; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 2"; flow:established,from_server; file_data; content:"IENsZWFySW50ZXJuZXRDYWNoZS"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017471; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SNET EK Encoded VBS 3"; flow:established,from_server; file_data; content:"Q2xlYXJJbnRlcm5ldENhY2hlK"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017472; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CoolEK Variant Payload Download Sep 16 2013"; flow:to_server,established; content:" Java/1."; http_header; content:"&e="; http_uri; content:!"osk188.com"; http_header; pcre:"/=\d+&e=\d+$/U"; classtype:trojan-activity; sid:2017473; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Variant Landing Page - Applet Sep 16 2013"; flow:established,to_client; file_data; content:".class"; nocase; fast_pattern:only; content:"<param"; nocase; content:"value"; distance:0; nocase; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]+?[\?\&]e=\d+[\x22\x27]/R"; classtype:trojan-activity; sid:2017474; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Dipverdle.A Activity"; flow:to_server,established; content:"POST"; http_method; content:"/cp/?"; http_uri; nocase; fast_pattern:only; pcre:"/\/cp\/\?(?:logo\.jpg\|adm)/Ui"; content:!"Referer\|3a\|"; http_header; content:"token="; nocase; http_client_body; depth:6; reference:md5,182ea2f564f6211d37a6c35a4bd99ee6; classtype:trojan-activity; sid:2017475; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:trojan-activity; sid:2017476; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text\|HTML)/Ri"; content:"onlosecapture"; fast_pattern; nocase; pcre:"/^(:?([\x22\x27][\r\n\s]?\])?[\r\n\s]?=\|[\x22\x27][\r\n\s]?\,)[\r\n\s]?function[\r\n\s]?$[^$]?\)[\r\n\s]?\{.?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]?=[\r\n\s]?(\x22\x22\|\x27\x27))?.?document\.write$[\r\n\s]?(\x22\x22\|\x27\x27\|(?P=var))[\r\n\s]?$/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017478; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text\|Html)/Ri"; content:"onlosecapture"; nocase; fast_pattern:only; content:"function"; pcre:"/^[\r\n\s]+(?P<func>[^\r\n\s]+)[\r\n\s]?$[^$]?\)[\r\n\s]?\{((?!function).)?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]?=[\r\n\s]?(?:\x22\x22\|\x27\x27))?((?!function).)?document\.write$[\r\n\s]?(?:\x22\x22\|\x27\x27\|(?P=var))[\r\n\s]?$.+?onlosecapture(:?([\x22\x27][\r\n\s]?\])?[\r\n\s]?=\|[\x22\x27][\r\n\s]?\,)[\r\n\s]?(?P=func)\b/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017479; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 IE Memory Corruption Vulnerability"; flow:established,to_client; file_data; content:"outer"; nocase; pcre:"/^(?:Text\|HTML)/Ri"; content:"onlosecapture"; nocase; fast_pattern; pcre:"/^(:?([\x22\x27][\r\n\s]?\])?[\r\n\s]?=\|[\x22\x27][\r\n\s]?\,)[\r\n\s]?(?!function)(?P<func>[^\r\n\s]+)\b.+?function[\r\n\s]+(?P=func)[\r\n\s]?$[^$]?\)[\r\n\s]?\{((?!function).)?(\b(?P<var>[^\r\n\s\=]+)[\r\n\s]?=[\r\n\s]?(\x22\x22\|\x27\x27))?((?!function).)?document\.write$[\r\n\s]?(\x22\x22\|\x27\x27\|(?P=var))[\r\n\s]?$/Rsi"; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017480; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT CVE-2013-3893 Possible IE Memory Corruption Vulnerability with HXDS ASLR Bypass"; flow:established,to_client; file_data; content:"ms-help\|3a\|//"; nocase; content:"onlosecapture"; nocase; fast_pattern:only; reference:cve,2013-3893; reference:url,blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx; classtype:attempted-user; sid:2017477; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole initial landing/gate"; flow:established,to_server; content:"/jquery/get.php?ver=jquery.latest.js"; http_uri; classtype:trojan-activity; sid:2017481; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Styx - TDS - Redirect To Landing Page"; flow:established,to_client; file_data; content:"<body onLoad="; content:"Redirect..."; fast_pattern; classtype:trojan-activity; sid:2017482; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:" DropPayload("; fast_pattern:only; classtype:trojan-activity; sid:2017483; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function Suck("; fast_pattern:only; classtype:trojan-activity; sid:2017484; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"function align_esp("; fast_pattern:only; classtype:trojan-activity; sid:2017485; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"eval(\|27\|unescape\|27\|)"; nocase; content:"\|27\|%u\|27\|"; classtype:trojan-activity; sid:2017486; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"unescape"; nocase; fast_pattern:only; content:"[\|22\|replace\|22\|]("; nocase; content:"/g"; distance:0; pcre:"/^[\r\n\s]?\,[\r\n\s]?[\x22\x27][\%\\]u"/Rsi"; classtype:trojan-activity; sid:2017487; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Using Office/.Net ROP/ASLR Bypass"; flow:established,to_client; file_data; content:"(\|22\|ms-help\|3a\|//\|22\|)\|3b\|"; nocase; content:"(\|22\|ms-help\|3a\|//\|22\|)\|3b\|"; distance:0; content:"(\|22\|ms-help\|3a 22\|)\|3b\|"; nocase; content:"(\|22\|ms-help\|3a 22\|)\|3b\|"; nocase; distance:0; classtype:trojan-activity; sid:2017488; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zzinfor.A Retrieving Instructions From CnC Server"; flow:established,to_server; content:"/static/hotkey.txt"; http_uri; content:!"User-Agent\|3A\|"; http_header; content:!"Accept-"; http_header; reference:md5,7e37a407a8fb0df3b2835419ad16f500; reference:md5,422b926dbbe03d0e4555328282c8f32b; classtype:trojan-activity; sid:2017489; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downloader.Mevade.FBV CnC Beacon"; flow:established,to_server; urilen:42; content:"/updater/"; http_uri; pcre:"/^\/updater\/[a-f0-9]{32}\/[0-9]$/Ui"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/; reference:url,blog.damballa.com/archives/2135; classtype:trojan-activity; sid:2017490; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format Sep 19 2013"; flow:established,to_server; content:"GET"; http_method; content:"/g"; depth:2; http_uri; content:"?t"; http_uri; distance:0; pcre:"/^\/g[a-z]{4,13}\?(hash=[a-f0-9]{32}&)?t[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017491; rev:4;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Exploit Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_header; content:"/r"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/r[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017492; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Java Payload Download Sep 19 2013"; flow:established,to_server; content:"Java/1."; fast_pattern:only; http_header; content:"/f"; http_uri; content:"?j"; http_uri; distance:0; pcre:"/\/f[a-z]+?\?j[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017493; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 1"; flow:established,to_client; file_data; content:"cHJlbG9hZGVyLWNsYXNz"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017494; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 2"; flow:established,to_client; file_data; content:"wcmVsb2FkZXItY2xhc3"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017495; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible JavaFX Click To Run Bypass 3"; flow:established,to_client; file_data; content:"ByZWxvYWRlci1jbGFzc"; reference:url,seclists.org/bugtraq/2013/Jul/41; classtype:attempted-user; sid:2017496; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rawin EK - Java Exploit - bona.jar"; flow:established,to_server; content:"/bona.jar"; http_uri; classtype:trojan-activity; sid:2017497; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blatantly Evil JS Function"; flow:established,from_server; file_data; content:"function heapspray"; nocase; classtype:trojan-activity; sid:2017498; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 1"; flow:established,from_server; file_data; content:"unescape"; content:"\|22\|%u"; content:!"\|22\|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017499; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 2"; flow:established,from_server; file_data; content:"unescape"; content:"\|27\|%u"; nocase; content:!"\|27\|"; within:120; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017500; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"\|22 5f\|u"; nocase; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017501; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probably Evil Long Unicode string only string and unescape 3"; flow:established,from_server; file_data; content:"unescape"; content:"\|27 5f\|u"; nocase; content:!"\|27\|"; within:100; pcre:"/^[a-f0-9]{4}([\%\\]u[a-f0-9]{4}){20}/Ri"; classtype:trojan-activity; sid:2017502; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Used in various watering hole attacks"; flow:established,from_server; file_data; content:"ConVertData"; pcre:"/^[^a-z0-9]/Ri"; content:"checka"; pcre:"/^[^a-z0-9]/Ri"; content:"checkb"; pcre:"/^[^a-z0-9]/Ri"; classtype:trojan-activity; sid:2017503; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - .com.exe HTTP Attachment"; flow:established,to_client; content:".com.exe"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2017504; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gh0st Trojan CnC 2"; flow:established,to_server; content:"Gh0st"; offset:8; depth:5; classtype:trojan-activity; sid:2017505; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class\|3a\| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cushion Redirection"; flow:established,to_server; content:".php?message="; http_uri; fast_pattern:only; pcre:"/\/(?:app\|info)\.php\?message=[A-Za-z0-9\+\/]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017507; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN DeputyDog callback"; flow:established,to_server; content:"POST "; depth:5; content:"\|0d 0a\|Agtid\|3a\| "; fast_pattern; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:trojan-activity; sid:2017511; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx J7u21 click2play bypass"; flow:established,to_server; content:"/jplay.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017508; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible J7u21 click2play bypass"; flow:established,to_client; file_data; content:"<jfx\|3a\|"; nocase; content:"preloader-class"; nocase; content:"<jnlp"; nocase; classtype:attempted-user; sid:2017509; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit CVE-2013-3205 Exploit Specific"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern:only; classtype:attempted-user; sid:2017510; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Statistic.js"; flow:established,to_server; content:"/statistic.js?k="; http_uri; content:"&d="; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017512; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/Caphaw DriveBy Campaign Ping.html"; flow:established,to_server; content:"/ping.html?id="; http_uri; content:"&js="; http_uri; content:"&key="; http_uri; content:!"/utils/"; http_uri; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; reference:url,blog.damballa.com/archives/2147; classtype:trojan-activity; sid:2017513; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET INFO User-Agent (python-requests) Inbound to Webserver"; flow:established,to_server; content:"User-Agent\|3A\| python-requests/"; http_header; classtype:attempted-recon; sid:2017515; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (/iam-ready)"; flow:established,to_server; content:"POST "; depth:5; content:"/iam-ready"; fast_pattern; within:10; nocase; content:"\|3c 7c 3e\|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017518; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (is-enum-driver)"; flow:established,to_server; content:"POST "; depth:5; content:"/is-enum-driver"; fast_pattern; within:15; nocase; content:"\|3c 7c 3e\|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017519; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (is-enum-folder)"; flow:established,to_server; content:"POST "; depth:5; content:"/is-enum-fa"; fast_pattern; within:11; nocase; content:"\|3c 7c 3e\|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017520; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (is-enum-process)"; flow:established,to_server; content:"POST "; depth:5; content:"/is-enum-process"; fast_pattern; within:16; nocase; content:"\|3c 7c 3e\|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017521; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command (is-cmd-shell)"; flow:established,to_server; content:"POST "; depth:5; content:"/is-cmd-shell"; fast_pattern; within:13; nocase; content:"\|3c 7c 3e\|"; distance:0; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017522; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Worm.VBS.ayr CnC command response"; flow:established,from_server; content:"\|0d 0a\|send\|3c 7c 3e\|"; pcre:"/^[A-Z]\x3a\x5f/R"; reference:url,www.fireeye.com/blog/uncategorized/2013/09/now-you-see-me-h-worm-by-houdini.html; classtype:trojan-activity; sid:2017523; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Hiloti/Mufanom CnC Response"; flow:established,from_server; flowbits:isset,ET.Hiloti; file_data; content:"<!-- vbe -->"; distance:0; classtype:trojan-activity; sid:2017526; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DATA-BROKER BOT Activity"; flow:established,to_server; content:"POST"; http_method; content:"g="; depth:2; http_client_body; content:"&cmd="; http_client_body; fast_pattern:only; content:!"User-Agent\|3a\|"; http_header; content:!"Referer\|3a\|"; http_header; pcre:"/^g=[A-Z0-9]+&cmd=/P"; reference:url,krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/; reference:md5,adcfe50aaaa0928adf2785fefe7307cc; classtype:trojan-activity; sid:2017524; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN OSX/Leverage.A Checkin"; flow:established,to_server; content:"\|00 00\|"; offset:0; depth:2; content:"\|00 00 00 01\|"; distance:2; within:4; content:"RAM\|0a 7c\|"; pcre:"/^\d+\w+\/\d+\w+ free $\d+% used$/R"; classtype:trojan-activity; sid:2017525; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Napolar Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"v="; depth:2; http_client_body; content:"&u="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; content:"&s={"; distance:0; http_client_body; content:"}&w="; fast_pattern; distance:0; http_client_body; content:"&b="; distance:0; http_client_body; pcre:"/&s=\{[A-Z0-9]{8}-([A-Z0-9]{4}-){3}[A-Z0-9]{12}\}&w=(\d{1,2}\.){2}\d{1,2}&b=(32\|64)$/Pi"; reference:url,blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/; reference:url,www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/; reference:md5,2c344add2ee6201f4e2cdf604548408b; classtype:trojan-activity; sid:2017527; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 3"; flow:to_server,established; dsize:>11; content:"\|7b 9e\|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017548; rev:3;) + +# +alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER UA WordPress, probable DDOS-Attack"; flow:established,to_server; content:"User-Agent\|3A\| Wordpress/"; http_header; reference:url,thehackernews.com/2013/09/thousands-of-wordpress-blogs.html; reference:url,pastebin.com/NP64hTQr; classtype:bad-unknown; sid:2017528; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS LightsOut EK Payload Download"; flow:to_server,established; content:".php?dwl="; http_uri; fast_pattern:only; nocase; pcre:"/\.php\?dwl=[a-z]+$/U"; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017529; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK info3i.html"; flow:to_server,established; content:"/info3i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017530; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK info3i.php"; flow:to_server,established; content:"/info3i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017531; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK inden2i.html"; flow:to_server,established; content:"/inden2i.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017532; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK sort.html"; flow:to_server,established; content:"/sort.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017533; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK leks.html"; flow:to_server,established; content:"/leks.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017534; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK negc.html"; flow:to_server,established; content:"/negc.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017535; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK negq.html"; flow:to_server,established; content:"/negq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017536; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK leks.jar"; flow:to_server,established; content:"/leks.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017537; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK start.jar"; flow:to_server,established; content:"/start.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017538; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK stoq.jar"; flow:to_server,established; content:"/stoq.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017539; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK erno_rfq.html"; flow:to_server,established; content:"/erno_rfq.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017540; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK inden2i.php"; flow:to_server,established; content:"/inden2i.php"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017541; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK gami.html"; flow:to_server,established; content:"/gami.html"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017542; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible LightsOut EK gami.jar"; flow:to_server,established; content:"/gami.jar"; http_uri; fast_pattern:only; nocase; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017543; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS LightsOut EK POST Compromise POST"; flow:to_server,established; content:"POST"; http_method; content:".php?id="; http_uri; nocase; content:"&v1="; http_uri; nocase; content:"&v2="; http_uri; nocase; fast_pattern:only; content:"&q="; http_uri; nocase; content:!"Referer\|3a\|"; http_header; content:!"Accept\|3a\|"; http_header; content:"Content-Length\|3a 20\|0"; http_header; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector; classtype:trojan-activity; sid:2017544; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Sep 30 2013"; flow:established,from_server; file_data; content:"New Zealandn Holiday"; fast_pattern:only; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017545; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible FortDisco POP3 Site list download"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\|3a 20\|PrototypeB\|0d 0a\|"; http_header; fast_pattern:12,10; content:!"Accept\|3a 20\|"; http_header; content:!"Referer\|3a 20\|"; http_header; reference:md5,538a4cedad8791e27088666a4a6bf9c5; reference:md5,87c21bc9c804cefba6bb4148dbe4c4de; reference:url,www.abuse.ch/?p=5813; classtype:trojan-activity; sid:2017546; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Jar Download Sep 30 2013"; flow:to_server,established; content:"Java/1."; http_header; fast_pattern:only; content:"/index.html?p="; http_uri; pcre:"/\/index\.html\?p=\d+$/U"; reference:md5,d58fea2d0f791e65c6aae8e52f7089c1; classtype:trojan-activity; sid:2017547; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cushion Redirection"; flow:established,to_server; content:"/index.php?"; http_uri; content:"="; distance:1; within:1; http_uri; content:!"=aHR0"; http_uri; pcre:"/\/index\.php\?[a-z]=[A-Za-z0-9\/\+]?(?:(?:N1cm[kw]\|RpbWU)9\|(?:zdXJ[ps]\|0aW1l)P\|c3Vy(?:aT\|bD)\|dGltZT)[A-Za-z0-9\/\+]+?(?:(?:N1cm[kw]\|RpbWU)9\|(?:zdXJ[ps]\|0aW1l)P\|c3Vy(?:aT\|bD)\|dGltZT)[A-Za-z0-9\/\+]+(?:(?:N1cm[kw]\|RpbWU)9\|(?:zdXJ[ps]\|0aW1l)P\|c3Vy(?:aT\|bD)\|dGltZT)[A-Za-z0-9\/\+]+={0,2}$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:2017552; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake MS Security Update (Jar)"; flow:established,from_server; file_data; content:"Microsoft Security Update"; content:"applet_ssv_validated"; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017549; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK Landing Oct 1 2013"; flow:established,from_server; file_data; content:"java3()\|3b\|"; fast_pattern:only; content:"java2()\|3b\|"; content:"pdf()\|3b\|"; content:"ie()\|3b\|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017550; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated http 2 digit sep in applet (Seen in HiMan EK)"; flow:established,from_server; file_data; content:"<applet"; content:"value"; distance:0; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27]h(?P<sep>\d{2})t(?P=sep)t(?P=sep)p(?P=sep)\x3a/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017551; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HiMan EK Reporting Host/Exploit Info"; flow:established,to_server; content:".php?ex="; http_uri; content:"&os="; http_uri; content:"&name="; http_uri; content:"&ver="; http_uri; classtype:trojan-activity; sid:2017553; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BHEK Payload Download (java only alternate method may overlap with 2017454)"; flow:established,to_server; urilen:>48; content:"Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\.php\?[^=]+=(?:[^&]?[a-z0-9]{2}){5}&[^=]+=(?:[^&]?[a-z0-9]{2}){10}&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017554; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef EK initial landing from Oct 02 2013 mass-site compromise EK campaign"; flow:established,to_server; content:".js?cp="; http_uri; fast_pattern:only; pcre:"/\/[A-F0-9]{8}\.js\?cp=/U"; classtype:trojan-activity; sid:2017555; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern:14,20; content:"META-INF/services/java.lang.Object"; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole EK Variant PDF Download"; flow:established,to_server; urilen:>48; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[^=]+=[^&]{10}&[^=]+=[^&]+&[^=]+=[^&]{20}((?P<sep>[^&]{2})(?P=sep)[^&]{20})?&/U"; flowbits:set,et.BHEK.PDF; flowbits:noalert; classtype:trojan-activity; sid:2017556; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mevade Checkin "; flow:to_server,established; content:"GET"; http_method; content:"/attachments/ip.php"; http_uri; classtype:misc-activity; sid:2017558; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN SSH Connection on 443 - Mevade Banner"; flow:to_server,established; content:"SSH-2.0-PuTTY_Local\|3a\|_Feb__5_2013_18\|3a\|26\|3a\|54"; depth:41; classtype:trojan-activity; sid:2017559; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible WHMCS SQLi AES_ENCRYPT at start of value"; flow:to_server,established; content:".php?"; http_uri; nocase; content:"=AES_ENCRYPT("; http_uri; nocase; distance:0; reference:url,localhost.re/p/whmcs-527-vulnerability; classtype:attempted-admin; sid:2017560; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Wajam.Adware Sucessful Install"; flow:established,to_server; content:"/wajam_install.exe?aid="; http_uri; content:"User-Agent\|3A 20\|NSIS_Inetc"; http_header; classtype:trojan-activity; sid:2017561; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing with Applet Oct 4 2013"; flow:established,from_server; file_data; content:"Embassy Tokyo, Japan"; fast_pattern; content:"<applet"; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017562; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java CVE-2013-2465 Based on PoC"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"$MyColorModel.class"; content:"$MyColorSpace.class"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; classtype:attempted-user; sid:2017563; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"name=\|22\|kurban\|22\|"; distance:0; nocase; content:".exe"; nocase; reference:cve,2013-2465; reference:url,malwageddon.blogspot.com/2013/10/unknown-ek-i-wanna-be-billionaire-so.html; reference:url,seclists.org/fulldisclosure/2013/Aug/134; classtype:attempted-user; sid:2017564; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"\|22\|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x22\s?\+\s?\x22)?r(?:\x22\s?\+\s?\x22)?o(?:\x22\s?\+\s?\x22)?m(?:\x22\s?\+\s?\x22)?C(?:\x22\s?\+\s?\x22)?h(?:\x22\s?\+\s?\x22)?a(?:\x22\s?\+\s?\x22)?r(?:\x22\s?\+\s?\x22)?c(?:\x22\s?\+\s?\x22)?o(?:\x22\s?\+\s?\x22)?d(?:\x22\s?\+\s?\x22)?e/Ri"; classtype:bad-unknown; sid:2017565; rev:3;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Obfuscated fromCharCode"; flow:established,from_server; file_data; content:"\|27\|f"; nocase; content:!"romCharcode"; nocase; within:11; pcre:"/^(?:\x27\s?\+\s?\x27)?r(?:\x27\s?\+\s?\x27)?o(?:\x27\s?\+\s?\x27)?m(?:\x27\s?\+\s?\x27)?C(?:\x27\s?\+\s?\x27)?h(?:\x27\s?\+\s?\x27)?a(?:\x27\s?\+\s?\x27)?r(?:\x27\s?\+\s?\x27)?c(?:\x27\s?\+\s?\x27)?o(?:\x27\s?\+\s?\x27)?d(?:\x27\s?\+\s?\x27)?e/Ri"; classtype:bad-unknown; sid:2017566; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FiestaEK js-redirect"; flow:established,to_server; content:"/?"; http_uri; fast_pattern:only; pcre:"/^\/[a-z0-9]+[0-9][a-z0-9]+\/\?\d$/U"; classtype:trojan-activity; sid:2017567; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:".classPK"; content:"$"; distance:-21; within:1; content:".classPK"; distance:0; content:"$"; distance:-21; within:1; pcre:"/\b(?P<xps>[a-zA-Z]{7})\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK/s"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_storeimagearray.rb; classtype:attempted-user; sid:2017568; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Page"; flow:established,from_server; file_data; content:".javaEnabled"; content:"f1=true"; nocase; fast_pattern:only; content:"window."; nocase; pcre:"/^(?P<windname>[a-z0-9]+)(?P<plug1>([sj]\|f1))=true.+?window\.(?P=windname)(?P<plug2>(?:(?!(?P=plug1))([sj]\|f1)))=true.+?window\.(?P=windname)(?!(?:(?P=plug1)\|(?P=plug2)))(?:[sj]\|f1)=true/Rsi"; classtype:trojan-activity; sid:2017569; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Angler EK Exploit Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/0"; depth:2; http_uri; pcre:"/^\/0[a-z0-9]{13}$/U"; classtype:trojan-activity; sid:2017570; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Angler EK Payload Download"; flow:established,to_server; urilen:15; content:"Java/1."; http_header; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; classtype:trojan-activity; sid:2017571; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free CVE-2013-3897"; flow:established,from_server; file_data; content:"onpropertychange"; fast_pattern:only; nocase; content:".execCommand("; nocase; pcre:"/^[\r\n\s]?[\x27\x22]Unselect[\x27\x22]/Rsi"; content:"appendChild("; nocase; content:"textarea"; nocase; content:".select("; nocase; content:".onselect"; reference:cve,2013-3897; classtype:attempted-user; sid:2017572; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet RCE Using Marshalled Object"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/JMXInvokerServlet/"; http_uri; nocase; fast_pattern:only; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017573; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX EJBInvokerServlet RCE Using Marshalled Object"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/EJBInvokerServlet/"; http_uri; nocase; fast_pattern:only; content:"invocation.MarshalledInvocation"; nocase; reference:url,www.exploit-db.com/exploits/28713/; classtype:web-application-attack; sid:2017574; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible VBulletin Unauthorized Admin Account Creation"; flow:established,to_server; content:"POST"; http_method; content:"/upgrade.php"; http_uri; nocase; fast_pattern:only; content:"Origin\|3a\|"; http_header; content:"&customerid="; nocase; http_client_body; content:"&htmlsubmit="; http_client_body; content:"username"; nocase; http_client_body; content:"confirmpassword"; http_client_body; nocase; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017575; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx EK jply.html"; flow:established,to_server; content:"/jply.html"; http_uri; classtype:trojan-activity; sid:2017576; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Oct 09 2013"; flow:established,from_server; file_data; content:"\|27\|urn\|3a\|schemas-microsoft-com\|3a\|vml\|27\|"; content:"=String.fromCharCode\|3b\|"; fast_pattern:1,20; content:"return parseInt"; content:"return \|27 27\|"; classtype:trojan-activity; sid:2017577; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake MS Security Update EK (Payload Download)"; flow:established,to_server; content:"/winddl32.exe"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017578; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS Possible Secondary Indicator of Java Exploit (Artifact Observed mostly in EKs/a few mis-configured apps)"; flow:established,to_server; content:"/javax.xml.datatype.DatatypeFactory"; http_uri; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017579; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef Payload October 09"; flow:to_server,established; content:"sm_main.mp3"; http_uri; fast_pattern; content:"Java/1."; http_header; classtype:trojan-activity; sid:2017580; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoLocker Ransomware check-in"; flow:established,to_server; urilen:6; content:"POST"; http_method; content:"/home/"; http_uri; content:!"Content-Type\|3a\|"; http_header; content:!"Referer\|3a\|"; http_header; reference:md5,6afc848066d274d8632c742340560a67; classtype:trojan-activity; sid:2017584; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoLocker Ransomware check-in 2"; flow:to_server,established; urilen:15; content:"POST"; http_method; content:"/pk/request.flv"; http_uri; content:!"Content-Type\|3a\|"; http_header; content:!"Referer\|3a\|"; http_header; reference:md5,a354873df6dbce59e801380cee39ac17; classtype:trojan-activity; sid:2017582; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CryptoLocker EXE Download"; flow:to_server,established; content:"/crypt_"; http_uri; content:"sell"; content:".exe"; http_uri; pcre:"/\/crypt_[^\/]?sell[^\/]?\d\.exe$/U"; classtype:trojan-activity; sid:2017583; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible W32/KanKan tools.ini Request"; flow:established,to_server; content:"/tools.ini"; http_uri; fast_pattern:only; pcre:"/^\/tools\.ini$/U"; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017585; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible W32/KanKan Update officeaddinupdate.xml Request"; flow:established,to_server; content:"/officeaddinupdate.xml"; http_uri; pcre:"/^\/officeaddinupdate\.xml$/U"; reference:url,www.welivesecurity.com/2013/10/11/win32kankan-chinese-drama/; classtype:trojan-activity; sid:2017586; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Opfake.A GetTask CnC Beacon"; flow:established,to_server; content:"/dev/getTask.php?imei="; http_uri; content:"&balance="; http_uri; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017587; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Opfake.A Country CnC Beacon"; flow:established,to_server; content:"/dev/reg.php?country="; http_uri; content:"&phone="; http_uri; content:"&op="; http_uri; content:"&balance="; http_uri; content:"&imei="; http_uri; reference:url,quequero.org/2013/09/android-opfake-malware-analysis/; classtype:trojan-activity; sid:2017588; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Initial Payload Internet Connectivity Check"; flow:established,to_server; content:"/ep/cl.php"; http_uri; fast_pattern:only; pcre:"/^\/ep\/cl\.php$/U"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:2017589; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS D-LINK Router Backdoor via Specific UA"; flow:to_server,established; content:"xmlset_roodkcableoj28840ybtide"; http_header; pcre:"/^User-Agent\x3a[^\r\n]?xmlset_roodkcableoj28840ybtide/Hm"; reference:url,www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/; classtype:attempted-admin; sid:2017590; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Related EK Landing Oct 14 2013"; flow:established,from_server; content:"(2)!=7"; fast_pattern:only; content:"(7)==0"; content:"(6)==1"; content:"javafx_version"; content:"jnlp_href"; content:".getVersion("; pcre:"/^[\r\n\s]?[\x22\x27]Java[\x22\x27]/R"; content:"document.write("; pcre:"/^[\r\n\s]?[\x22\x27]<applet/R"; content:"document.write("; pcre:"/^[\r\n\s]?[\x22\x27]<applet/R"; reference:url,www.malwaresigs.com/2013/10/14/unknown-ek/; classtype:trojan-activity; sid:2017591; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Malvertising Related EK Redirect Oct 14 2013"; flow:established,to_server; content:".php?tnzppl="; fast_pattern; content:"&endovenafsl="; distance:0; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/mi"; reference:url,malwageddon.blogspot.fi/2013/09/unknown-ek-it-aint-no-trick-to-get-rich.html; classtype:trojan-activity; sid:2017592; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neutrino EK Landing URI Format Oct 15 2013"; flow:established,to_server; content:"GET"; http_method; content:"/o"; depth:2; http_uri; content:"?h"; http_uri; pcre:"/^\/o[a-z]{4,13}\?h[a-z]{4,11}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017593; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino Java Exploit Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:"/b"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/b[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017594; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino Java Payload Download Oct 15 2013"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:"/v"; http_uri; content:"?n"; http_uri; distance:0; pcre:"/\/v[a-z]+?\?n[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017595; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino XORed pluginDetect 1"; flow:established,to_client; file_data; content:"M%01%06%00%18%02%11"; within:19; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017596; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino XORed pluginDetect 2"; flow:established,to_client; file_data; content:"_%11%11%16%0A%12%06"; within:19; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017597; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Kelihos.F EXE Download Common Structure"; flow:to_server,established; content:".exe"; http_uri; fast_pattern:only; content:!"User-Agent\|3a\|"; http_header; nocase; content:"Host\|3a\| "; http_header; depth:6; pcre:"/^GET\s?(?:\/[a-z]+\d?)?\/[a-z]+\d?\.exe\s?HTTP\/1\.0\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n\r\n$/"; classtype:trojan-activity; sid:2017598; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Egobot Checkin"; flow:to_server,established; content:".php?a1="; nocase; fast_pattern:only; http_uri; content:"&a2="; http_uri; pcre:"/&a2=((?:[a-f0-9]{32})\|(?:[A-Za-z0-9\x2b\x2f]{4})(?:[A-Za-z0-9\x2b\x2f]{2}==\|[A-Za-z0-9\x2b\x2f]{3}=\|[A-Za-z0-9\x2b\x2f]{4}))(?:&\|$)/Ui"; reference:url,symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign; classtype:trojan-activity; sid:2017599; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Nemim Checkin"; flow:to_server,established; content:".php?arg1="; nocase; fast_pattern:only; http_uri; content:"&arg2="; http_uri; pcre:"/&arg2=((?:[a-f0-9]{32})\|(?:[A-Za-z0-9\x2b\x2f]{4})(?:[A-Za-z0-9\x2b\x2f]{2}==\|[A-Za-z0-9\x2b\x2f]{3}=\|[A-Za-z0-9\x2b\x2f]{4}))(?:&\|$)/Ui"; reference:url,symantec.com/connect/blogs/infostealernemim-how-pervasive-infostealer-continues-evolve; classtype:trojan-activity; sid:2017600; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 IE Exploit URI Struct"; flow:established,to_server; content:".tpl"; http_uri; fast_pattern:only; pcre:"/\/1[34]\d{8}\.tpl$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017601; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK - Landing Page - Java ClassID and 32/32 archive Oct 16 2013"; flow:established,to_client; file_data; content:"applet"; nocase; fast_pattern; content:"archive"; nocase; distance:0; pcre:"/^[\r\n\s]?=[\r\n\s]?[\x22\x27][^\x22\x27]?\/(?:[\/_]?[a-f0-9][\/_]?){64}[\x22\x27]/R"; classtype:trojan-activity; sid:2017602; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Exploit 32-32 byte hex java payload request Oct 16 2013"; flow:established,to_server; urilen:>64; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]?[a-f0-9][\/_]?){64}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017603; rev:8;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013"; flow:established,to_server; urilen:66; pcre:"/^\/[a-f0-9]{32}\/[a-f0-9]{32}$/Ui"; content:"Referer\|3a\| http\|3a\|//"; pcre:"/^[^\/\r\n]+/R"; content:"/?"; within:2; pcre:"/^[a-f0-9]{32}=\d{1,10}\r\n/R"; content:" MSIE "; http_header; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017613; rev:7;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (OUTBOUND)"; flow:established,to_client; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017604; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND)"; flow:established,to_client; file_data; content:"JFIF\|00\|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017605; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (OUTBOUND)"; flow:established,to_client; file_data; content:"PNG\|0D 0A 1A 0A\|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017606; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In GIF (INBOUND)"; flow:established,from_server; file_data; content:"GIF89"; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017607; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (INBOUND)"; flow:established,from_server; file_data; content:"JFIF\|00\|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017608; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP WebShell Embedded In PNG (INBOUND)"; flow:established,from_server; file_data; content:"PNG\|0D 0A 1A 0A\|"; distance:1; within:7; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017609; rev:1;) + +# +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED vBulletin Administrator Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/install/upgrade.php"; http_uri; content:"username"; http_client_body; content:"password"; http_client_body; distance:0; content:"confirmpassword"; http_client_body; distance:0; reference:url,blog.imperva.com/2013/10/threat-advisory-a-vbulletin-exploit-administrator-injection.html; classtype:web-application-attack; sid:2017610; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Oracle JSF2 Path Traversal Attempt"; flow:established,to_server; content:"/WEB-INF/web.xml"; nocase; http_uri; fast_pattern:only; content:"\|2e 2e 2f\|"; http_raw_uri; reference:url,security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html; reference:cve,2013-3815; classtype:web-application-attack; sid:2017611; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Kelihos p2p traffic detected via byte_test - SET"; flow:established,to_server; dsize:100<>2000; pcre:"/^[^OGHPDTCMLUVRBAS]/"; content:!"HTTP/1."; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; flowbits:set,ET.Kelihos-P2P; flowbits:noalert; classtype:trojan-activity; sid:2017612; rev:5;) + +# +#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"ET DELETED Kelihos p2p traffic detected via byte_test CnC Response"; flow:established,from_server; flowbits:isset,ET.Kelihos-P2P; byte_extract:2,2,kelihos.p2p; byte_test:2,=,kelihos.p2p,6; byte_test:2,=,kelihos.p2p,10; byte_test:2,=,kelihos.p2p,14; byte_test:2,=,kelihos.p2p,18; byte_test:2,=,kelihos.p2p,22; byte_test:2,!=,kelihos.p2p,0; byte_test:2,!=,kelihos.p2p,4; byte_test:2,!=,kelihos.p2p,8; byte_test:2,!=,kelihos.p2p,25; classtype:trojan-activity; sid:2017614; rev:2;) + +# +alert tcp $HOME_NET any -> any any (msg:"ET SCAN NETWORK Outgoing Masscan detected"; flow:established,to_server; content:"User-Agent\|3A\| masscan/"; http_header; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017615; rev:2;) + +# +alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN NETWORK Incoming Masscan detected"; flow:established,to_server; content:"User-Agent\|3A\| masscan/"; http_header; reference:url,blog.erratasec.com/2013/10/that-dlink-bug-masscan.html; reference:url,blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html; classtype:network-scan; sid:2017616; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Onkod.Downloader Executable Download"; flow:established,to_server; content:"/js/"; http_uri; content:".exe"; fast_pattern; http_uri; content:"User-Agent\|3A 20\|Mozilla/5.0 (Windows NT 6.1\|3b\| WOW64\|3b\| rv\|3a\|22.0) Gecko/20100101 Firefox/22.0\|0D 0A\|"; http_header; pcre:"/\x2Fjs\x2F[\r\n]\x2Eexe$/U"; reference:url,blog.fortinet.com/Avoiding-Heuristic-Detection/; classtype:trojan-activity; sid:2017617; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kuluoz Activity"; flow:established,to_server; content:"POST"; http_method; content:!"Referer\|3a\|"; http_header; content:"name=\|22\|key\|22\|"; http_client_body; nocase; content:"filename=\|22\|key.bin\|22\|"; http_client_body; nocase; content:"name=\|22\|data\|22\|"; http_client_body; nocase; content:"filename=\|22\|data.bin\|22\|"; http_client_body; nocase; pcre:"/\/[A-F0-9]+$/U"; reference:md5,c71416a9ec5414fe487167b5bfd921ec; classtype:trojan-activity; sid:2017620; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Cutwail Redirect to Magnitude EK"; flow:established,to_server; urilen:15; content:"/messag_id.html"; http_uri; fast_pattern:only; reference:url,www.secureworks.com/resources/blog/research/cutwail-spam-swapping-blackhole-for-magnitude-exploit-kit/; classtype:trojan-activity; sid:2017621; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHMCS lt 5.2.8 SQL Injection"; flow:established,to_server; content:"[sqltype]="; http_uri; nocase; content:"[value]="; http_uri; nocase; content:".php?"; http_uri; nocase; reference:url,localhost.re/res/whmcs2.py; classtype:attempted-admin; sid:2017622; rev:4;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 1"; content:"w302r_mfg\|00\|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017623; rev:3;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Tenda Router Backdoor 2"; content:"rlink_mfg\|00\|"; depth:10; reference:url,www.devttys0.com/2013/10/from-china-with-love/; classtype:attempted-admin; sid:2017624; rev:3;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Outbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017625; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 81a338 Hacked Site Response (Inbound)"; flow:established,from_server; file_data; content:"<!--81a338-->"; fast_pattern:only; classtype:trojan-activity; sid:2017626; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET CURRENT_EVENTS Possible Sakura Jar Download Oct 22 2013"; flow:to_server,established; content:!".jar"; http_uri; content:"Java/1."; http_header; fast_pattern:only; content:".pl\|3a\|"; http_header; pcre:"/^\/[a-z]+([_-][a-z]+)\.[a-z]{1,3}$/U"; pcre:"/^Host\x3a\x20[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.pl\x3a\d{2,5}\r$/Hm"; classtype:trojan-activity; sid:2017628; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FlashPack Oct 23 2013"; flow:to_server,established; content:".php?cashe="; http_uri; fast_pattern:only; content:"Java/1."; http_header; pcre:"/\.php\?cashe=\d+$/U"; classtype:trojan-activity; sid:2017629; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"\|7c 68 a3 34 36\|"; within:5; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017630; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Netgear WNDR4700 Auth Bypass"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; http_uri; nocase; reference:url,securityevaluators.com/content/case-studies/routers/netgear_wndr4700.jsp; classtype:attempted-admin; sid:2017631; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Netgear WNDR3700 Auth Bypass"; flow:to_server,established; content:"/BRS_02_genieHelp.html"; http_uri; nocase; reference:url,shadow-file.blogspot.ro/2013/10/complete-persistent-compromise-of.html; classtype:attempted-admin; sid:2017632; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"domestic transit area.<br>"; fast_pattern:6,20; content:"display"; nocase; pcre:"/^[\r\n\s]?\x3a[\r\n\s]?none/Ri"; content:"<li"; nocase; pcre:"/^[^>]?\>/R"; content:!"</li>"; nocase; within:500; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017634; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Landing Page Oct 25 2013"; flow:established,from_server; file_data; content:"fromCharCode"; content:"+0+0+3-1-1"; fast_pattern; within:100; content:"substr"; content:"(3-1)"; within:100; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017635; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/\d{8,11}\/1[34]\d{8}\.pdf$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017636; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java File Sent With X-Powered By HTTP Header - Common In Exploit Kits"; flow:established,to_client; content:"Content-Type\|3A\| application/java-archive"; http_header; fast_pattern:25,13; content:"X-Powered-By\|3A\| PHP/"; http_header; file_data; content:"PK"; within:2; classtype:bad-unknown; sid:2017637; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAR Size Under 30K Size - Potentially Hostile"; flow:established,to_client; content:"Content-Type\|3A\| application/java-archive"; http_header; fast_pattern:26,12; content:"Content-Length\|3A\| "; http_header; content:"\|0D 0A\|"; http_header; distance:5; within:2; file_data; content:"PK"; within:2; pcre:"/^Content\x2DLength\x3A\x20[12]\d{1,4}\x0D\x0A/Hmi"; classtype:bad-unknown; sid:2017639; rev:2;) + +# +alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Alpha Networks ADSL2/2+ router remote administration password disclosure"; flow:to_server,established; content:"/APIS/returnJSON.htm"; http_uri; reference:url,packetstorm.foofus.com/1208-exploits/asl26555_pass_disclosure.txt; classtype:attempted-admin; sid:2017638; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Encrypted Webshell Download"; flow:established,to_client; file_data; content:"eval"; content:"mcrypt_decrypt"; distance:0; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017640; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible Encrypted Webshell in POST"; flow:established,to_server; content:"POST"; http_method; content:"eval"; http_client_body; content:"mcrypt_decrypt"; http_client_body; distance:0; reference:url,blog.sucuri.net/2013/10/backdoor-evasion-using-encrypted-content.html; classtype:bad-unknown; sid:2017641; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 1"; flow:established,to_server; content:"POST"; http_method; content:"port="; fast_pattern; http_client_body; content:"&uname="; distance:0; http_client_body; content:"&uuid="; http_client_body; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/P";content:"Connection\|3A 20\|close\|0D 0A\|Content-Type\|3A 20\|application/x-www-form-urlencoded\|0D 0A\|Content-Length\|3A 20\|"; http_header; content:!"User-Agent\|3A\|"; http_header; content:!"Referer\|3a\|"; http_header; content:!"Accept\|3a\|"; http_header; classtype:trojan-activity; sid:2017642; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Linux/Ssemgrvd sshd Backdoor HTTP CNC 2"; flow:established,to_server; content:"POST"; http_method; content:"POST"; http_method; content:"b=1&name="; http_client_body; depth:9; fast_pattern; content:"&uuid="; http_client_body; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/P"; content:"Connection\|3A 20\|close\|0D 0A\|Content-Type\|3A 20\|application/x-www-form-urlencoded\|0D 0A\|Content-Length\|3A 20\|"; http_header; content:!"User-Agent\|3A\|"; http_header; content:!"Referer\|3a\|"; http_header; content:!"Accept\|3a\|"; http_header; classtype:trojan-activity; sid:2017643; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Host Domain .bit"; flow:established,to_server; content:".bit\|0D 0A\|"; fast_pattern:only; http_header; pcre:"/^Host\x3a [^\r\n]+?\.bit\r\n$/Hmi"; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017644; rev:1;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query Domain .bit"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|bit\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.normanshark.com/blog/necurs-cc-domains-non-censorable/; classtype:bad-unknown; sid:2017645; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN possible TRAT proxy component user agent detected"; flow:established,to_server; content:"User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b 20\|MSIE 6.0.1.3\|3b 20\|"; nocase; http_header; fast_pattern:37,14; reference:url,www.fireeye.com/blog/technical/malware-research/2013/10/evasive-tactics-terminator-rat.html; classtype:trojan-activity; sid:2017646; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Install"; flow:established,to_server; content:"GET"; http_method; content:"/api/stats/debug/"; fast_pattern:only; http_uri; content:"/?ts="; http_uri; content:"&ver="; http_uri; content:"&group="; http_uri; content:"&token="; http_uri; reference:md5,d1663e13314a6722db7cb7549b470c64; classtype:trojan-activity; sid:2017647; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sweet Orange payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; content:"Java/1."; http_header; fast_pattern:only; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017648; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange encrypted payload"; flow:established,to_client; flowbits:isset,et.SweetOrangeURI; file_data; byte_test:1,>,95,0,relative; byte_test:1,<,128,0,relative; content:"\|00 00 00\|"; distance:1; within:3; content:!"\|00\|"; within:1; content:"\|00 00 00\|"; distance:1; within:3; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017649; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/Grandsoft Plugin-Detect"; flow:established,to_client; file_data; content:"go2Page(\|27\|/\|27\|+PluginDetect.getVersion(\|22\|AdobeReader\|22\|)+\|27\|.pdf\|27\|)\|3b\|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017650; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET CURRENT_EVENTS Possible Neutrino EK Landing URI Format Nov 1 2013"; flow:established,to_server; urilen:18<>37; content:"GET"; http_method; content:"?"; http_uri; offset:6; depth:11; content:"="; http_uri; distance:5; within:8; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=\d{6,7}$/U"; classtype:trojan-activity; sid:2017652; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino Java Exploit/Payload Download Nov 1 2013"; flow:established,to_server; content:"Java/1."; http_header; pcre:"/^\/[a-z]{5,14}\?[a-z]{5,12}=[a-z]{6,11}$/U"; reference:url,pastebin.com/194D8UuK; classtype:trojan-activity; sid:2017653; rev:11;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Badur.Spy User Agent HWMPro"; flow:established,to_server; content:"User-Agent\|3A\| HWMPro\|0D 0A\|"; http_header; reference:md5,234c47b5b29a2cfcc00900bbc13ea181; classtype:trojan-activity; sid:2017654; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Badur.Spy User Agent lawl"; flow:established,to_server; content:"User-Agent\|3A\| lawl\|0D 0A\|"; http_header; reference:md5,4f5d28c43795b9c4e6257bf26c52bdfe; classtype:trojan-activity; sid:2017655; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/InstallMonster.Downloader Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/api/index"; http_uri; content:"User-Agent\|3A\| Mozilla/3.0 (compatible\|3b\| Indy Library)"; http_header; fast_pattern:35,15; pcre:"/^\x2Fapi\x2Findex$/U"; reference:md5,70a6d9cb37e346b4dfd28bd4ea1f8671; classtype:trojan-activity; sid:2017656; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT SUSPICIOUS JS Multiple Debug Math.atan2 calls with CollectGarbage"; flow:established,from_server; file_data; content:"CollectGarbage"; nocase; fast_pattern:only; content:"Math.atan2"; nocase; content:"Math.atan2"; nocase; distance:0; content:"Math.atan2"; nocase; distance:0; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; reference:url,cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/; classtype:attempted-user; sid:2017657; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Trojan Secondary Download"; flow:established,to_server; content:"/calc.exe"; http_uri; fast_pattern; content:"Accept-Language\|3a 20\|zh-cn\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017658; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Trojan Download"; flow:established,to_server; content:"/taskmgr.exe"; http_uri; fast_pattern; content:"Accept-Language\|3a 20\|zh-cn\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|"; http_header; reference:md5,3a2c3b422a7ec78f88a939d20ed07615; classtype:trojan-activity; sid:2017659; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Cookie Set By Flash Malvertising"; flow:established,to_server; content:"\|0d 0a\|Cookie\|3a 20\|asg325we234=1\|0d 0a\|"; reference:md5,cce9dcad030c4cba605a8ee65572136a; classtype:trojan-activity; sid:2017660; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Redirect to Neutrino goi.php Nov 4 2013"; flow:established,to_server; urilen:8; content:"/goi.php"; http_uri; classtype:trojan-activity; sid:2017661; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Known Sinkhole Response Header"; flow:established,to_server; content:"X-Sinkholed-Domain\|3a\|"; http_header; reference:md5,723a90462a417337355138cc6aba2290; classtype:trojan-activity; sid:2017662; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fredcot campaign php5-cgi initial exploit"; flow:to_server,established; content:!"Accept"; http_header; content:!"Referer"; http_header; content:"Mobile/10A5355d"; http_header; content:"<?php"; depth:5; http_client_body; content:"fredcot"; http_client_body; fast_pattern; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:2;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET 21 (msg:"ET CURRENT_EVENTS Fredcot campaign payload download"; flow:to_server,established; content:"PASS fredcot123\|0d 0a\|"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017664; rev:5;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fredcot campaign IRC CnC"; flow:to_server,established; content:"JOIN #1111 ddosit"; reference:md5,e69bbd29f2822c1846d569ace710c9d5; reference:url,permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/20243; classtype:trojan-activity; sid:2017665; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK JAR URI Struct Nov 05 2013"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; content:"Java/1."; http_header; pcre:"/^\/\d{9,10}\/1[34]\d{8}\.jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017666; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK Payload URI Struct Nov 05 2013"; flow:established,to_server; content:"/f/"; http_uri; depth:3; pcre:"/^\/f\/1[34]\d{8}\/\d{9,10}(\/\d)+$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017667; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Backdoor.Adwind Download"; flow:established,from_server; file_data; content:"plugins/AdwindServer.class"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2013-070113-1904-99&tabid=3; classtype:attempted-user; sid:2017668; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Zip File"; flow:established,from_server; file_data; content:"PK\|03 04\|"; within:4; flowbits:set,et.http.PK; flowbits:noalert; classtype:misc-activity; sid:2017669; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Word DOCX with Many ActiveX Objects and Media"; flow:established,from_server; flowbits:isset,et.http.PK; file_data; content:"word/activeX/activeX40.xml"; nocase; content:"word/media/"; nocase; reference:url,blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2; classtype:trojan-activity; sid:2017670; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible CVE-2013-3906 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"User-Agent\|3a\| MyWebClient"; http_header; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017671; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS msctcd.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/msctcd.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/msctcd\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017672; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS taskmgr.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/taskmgr.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/taskmgr\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017673; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS wsqmocn.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/wsqmocn.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/wsqmocn\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017674; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS connhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/connhost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/connhost\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017675; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/lgfxsrvc.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lgfxsrvc\.exe$/Ui"; classtype:trojan-activity; sid:2017676; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS wimhost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/wimhost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/wimhost\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017677; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SUSPICIOUS lgfxsrvc.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/lgfxsrvc.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lgfxsrvc\.exe$/Ui"; classtype:trojan-activity; sid:2017678; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winlog.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/winlog.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlog\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017679; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS waulct.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/waulct.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/waulct\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017680; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS alg.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/alg.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/alg\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017681; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS mssrs.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/mssrs.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/mssrs\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017682; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winhosts.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/winhosts.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winhosts\.exe$/Ui"; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017683; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi Name Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi/login.cgi"; http_uri; nocase; content:"name="; nocase; http_client_body; content:"pwd="; http_client_body; nocase; pcre:"/(?:^\|[\n\&])pwd=/Pi"; pcre:"/(?:^\|[\n\&])name=(?:%\d{2}\|[^%&]){129}/Pi"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017684; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI login.cgi PWD Parameter Buffer Overflow Attempt CVE-2013-3621"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi/login.cgi"; http_uri; nocase; content:"name="; http_client_body; nocase; content:"pwd="; http_client_body; nocase; pcre:"/(?:^\|[\n\&])name=/Pi"; pcre:"/(?:^\|[\n\&])pwd=(?:%\d{2}\|[^%&]){25}/Pi"; reference:cve,CVE-2013-3621; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017685; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi sess_sid Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi/close_window.cgi"; http_uri; nocase; content:"sess_sid="; http_client_body; nocase; pcre:"/(?:^\|[\n\&])sess_sid=(?:%\d{2}\|[^%&]){21}/P"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017686; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI close_window.cgi ACT Parameter Buffer Overflow Attempt CVE-2013-3623"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/cgi/close_window.cgi"; http_uri; nocase; content:"ACT="; http_client_body; nocase; pcre:"/(?:^\|[\n\&])ACT=(?:%\d{2}\|[^%&]){21}/Pi"; reference:cve,CVE-2013-3623; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017687; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SUPERMICRO IPMI url_redirect.cgi Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/cgi/url_redirect.cgi"; http_uri; nocase; content:"\|2e 2e 2f\|"; http_raw_uri; reference:url,community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities; classtype:attempted-admin; sid:2017688; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Possible Schneebly Posting ScreenShot"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/viewimage.php?s="; http_uri; nocase; content:!"&"; http_uri; distance:0; content:!"Referer\|3a\|"; http_header; content:"filename="; http_client_body; content:"JFIF"; distance:0; http_client_body; reference:url,www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:trojan-activity; sid:2017689; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel.Arx Variant CnC Beacon 1"; flow:established,to_server; content:"/rssfeed.php?a="; http_uri; pcre:"/rssfeed\.php\?a=[^&]+?&\d+$/U"; content:!"Referer\|3a\|"; http_header; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:trojan-activity; sid:2017690; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Citadel.Arx Varient CnC Beacon 2"; flow:established,to_server; content:"/psp.php?p="; http_uri; content:"&g="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&r="; http_uri; content:!"Referer\|3a\|"; http_header; reference:url,botnetlegalnotice.com/citadel/files/Patel_Decl_Ex20.pdf; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/the-dual-use-exploit-cve-2013-3906-used-in-both-targeted-attacks-and-crimeware-campaigns.html; classtype:trojan-activity; sid:2017691; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx iframe with obfuscated CVE-2013-2551"; flow:established,from_server; file_data; content:"<html>\|0d 0a\|"; within:8; content:"<body"; within:100; content:"><h"; within:100; content:">\|0d 0a\|<div"; within:8; pcre:"/(?P<a>[0-9a-z]{2})(?P<s>(?!(?P=a))[0-9a-z]{2})[0-9a-z]{2}(?P=s)[0-9a-z]{2}(?P<y>[0-9a-z]{2})[0-9a-z]{4}(?P<dot>[0-9a-z]{2})(?P=a)(?P<r>[0-9a-z]{2})(?P=r)(?P=a)(?P=y)(?P=dot)/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017693; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Magnitude IE EK Payload Nov 8 2013"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header; content:!"Referer\|3a\|"; http_header; classtype:trojan-activity; sid:2017694; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Angler EK Flash Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; pcre:"/^GET \/0(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:trojan-activity; sid:2017695; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FaceBook IM & Web Driven Facebook Trojan Download"; flow:established,to_server; content:"/dlimage4.php"; http_uri; content:".best.lt.ua\|0d 0a\|"; http_header; pcre:"/Host\x3a\x20[a-z]{6}\.best.lt\.ua\r$/Hm"; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017696; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FaceBook IM & Web Driven Facebook Trojan Posting Data"; flow:established,to_server; content:"POST"; http_method; content:"/tsone/ajuno.php"; http_uri; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r$/Hm"; content:!"User-Agent\|3a\|"; http_header; content:!"Referer\|3a\|"; http_header; content:"u="; http_client_body; depth:2; content:"&p="; http_client_body; distance:0; content:"&l="; distance:0; http_client_body; reference:url,pastebin.com/raw.php?i=tdATTg7L; classtype:trojan-activity; sid:2017697; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude Landing Nov 11 2013"; flow:established,from_server; file_data; content:".fromCharCode("; nocase; pcre:"/^[^\)]+\][\r\n\s]?\^[\r\n\s]?\d+?[\r\n\s]?\)/R"; content:"eval("; nocase; content:".split("; nocase; pcre:"/^[\r\n\s]?[\x22\x27](?P<sp>[^\x22\x27]+)[\x22\x27].+?eval$[^$\(]+?\([\x22\x27]\d{2,3}(?P=sp)\d{2,3}(?P=sp)/Rsi"; classtype:trojan-activity; sid:2017698; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Grandsoft/SofosFO EK PDF URI Struct"; flow:established,to_server; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/\d{1,2}(?P<l>[A-Z])\d{1,2}(?P=l)\d{1,2}(?P=l)\d{1,2}\.pdf$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017699; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Stitur Secondary Download"; flow:established,from_server; content:".file\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/filename=[a-f0-9]{13}\.file\r\n/H"; content:"Content-Description\|3a 20\|File Transfer\|0d 0a\|"; http_header; content:"Content-Transfer-Encoding\|3a 20\|binary\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2017700; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS webr00t WebShell Access"; flow:established,to_server; content:"/?webr00t="; http_uri; reference:url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html; classtype:trojan-activity; sid:2017701; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Trojan.APT.9002 POST"; flow:established,to_server; content:"POST "; depth:5; pcre:"/^POST\s+\/[a-f0-9]+\s/U"; content:!"\|0d 0a\|Referer\|3a\|"; distance:0; content:"User-Agent\|3a 20\|lynx\|0d 0a\|"; distance:0; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:trojan-activity; sid:2017702; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Angler EK Possible Flash/IE Payload"; flow:established,to_server; urilen:15; content:"/1"; depth:2; http_uri; pcre:"/^\/1[a-z0-9]{13}$/U"; content:!"Referer\|3a\|"; http_header; content:!"User-Agent\|3a\|"; http_header; content:"\|0d 0a 0d 0a\|"; classtype:trojan-activity; sid:2017703; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 1"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017704; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 2"; flow:established,from_server; file_data; content:"InformationCardSigninHelper"; nocase; content:".requiredClaims"; nocase; content:".remove("; nocase; content:".add("; nocase; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017705; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Sweet Orange IE Payload Request"; flow:established,to_server; urilen:>50; content:".php?"; http_uri; fast_pattern:only; content:!"Referer\|3a\|"; http_header; content:" MSIE "; http_header; pcre:"/^\/[a-z\_\-]{4,10}\.php\?([a-z\_\-]{4,10}=\d{1,3}&){7,}[a-z\_\-]{4,10}=-?\d+$/U"; flowbits:set,et.SweetOrangeURI; classtype:trojan-activity; sid:2017706; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 4"; flow:to_server,established; dsize:>11; content:"\|79 9e\|"; fast_pattern:only; pcre:"/^[\x20-\x7e]+?.{8}\x79\x9e/s"; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017707; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 3"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"\|5c\|u"; content:"\|5c\|u"; distance:4; within:4; content:"\|5c\|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x5cu\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017708; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE 0day CVE-2013-3918 4"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"\|25\|u"; content:"\|25\|u"; distance:4; within:4; content:"\|25\|u"; distance:4; within:4; pcre:"/^\{?[a-fA-F0-9]{4}\}?(\x25u\{?[a-fA-F0-9]{4}\}?){20}/Rs"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html; classtype:attempted-user; sid:2017709; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bamital checkin"; flow:established,to_server; content:".php?subid="; http_uri; content:"&os="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; classtype:trojan-activity; sid:2017710; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Fake Codec Download"; flow:established,to_server; content:"/Setup.exe?tid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2017711; rev:1;) + +# +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed\|3B\|"; nocase; content:"application/pkcs7-signature\|3B\|"; nocase; distance:0; content:"\|0A\|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB\|0D\|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Taidoor Checkin"; flow:to_server,established; content:".jsp?"; offset:4; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+? HTTP\/1\.1/R"; content:"\|0d 0a\|User-Agent\|3a\| "; within:14; content:!"Referer"; distance:0; content:!"Accept"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017713; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PlugX Checkin"; flow:to_server,established; content:"POST "; depth:5; pcre:"/^\/[A-F0-9]{24} HTTP\/1\.1/R"; content:"\|0d 0a\|Accept\|3a 20 2a 2f 2a 0d 0a\|"; within:15; pcre:"/^[A-Z]{4}/R"; content:"1\|3a 20\|0\|0d 0a\|"; fast_pattern; within:6; content:!"Referer"; distance:0; content:!"Accept"; distance:0; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:trojan-activity; sid:2017714; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Angler EK SilverLight Exploit"; flow:established,to_server; urilen:15; content:"/0"; depth:2; http_uri; fast_pattern; pcre:"/^\/0[a-z0-9]{13}$/U"; content:!"Referer\|3a\|"; http_header; content:"User-Agent\|3a\|"; http_header; content:"\|0d 0a 0d 0a\|"; classtype:trojan-activity; sid:2017715; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Athena Bot Nick in IRC"; flow:established,to_server; content:"NICK "; content:"\|5b\|"; distance:1; within:1; pcre:"/^[A-Z]{3}\\|[UA]\\|[DL]\\|W([78]\|_XP\|VIS)\\|x(86\|64)\\|/R"; reference:url,arbornetworks.com/asert/2013/11/athena-a-ddos-malware-odyssey/; reference:md5,859c2fec50ba1212dca9f00aa4a64ec4; classtype:trojan-activity; sid:2017716; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Botnet Monitor Request CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/monitor.php?resp=ID\|3a\|"; fast_pattern:only; http_uri; pcre:"/\/monitor\.php\?resp=ID\x3a[A-Za-z]{15}/U"; content:"Target\|3a\|"; http_uri; content:"Message\|3a\|"; http_uri; content:!"Referer\|3a 20\|"; http_header; content:"User-Agent\|3a 20\|Mozilla/4.0 (SEObot)\|0d 0a\|"; http_header; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017717; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Botnet Login Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/operator/login.php"; fast_pattern:only; http_uri; pcre:"/\/operator\/login\.php$/U"; content:!"Referer\|3a 20\|"; content:!"Accept"; http_header; content:"User-Agent\|3a 20\|Mozilla/4.0 (SEObot)\|0d 0a\|"; http_header; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017718; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Outbound"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent\|3A\| Mozilla/4.0 (compatible\|3B\| Synapse)"; fast_pattern:24,20; http_header; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017721; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DOS Trojan.BlackRev V1.Botnet HTTP Login POST Flood Traffic Inbound"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent\|3A\| Mozilla/4.0 (compatible\|3B\| Synapse)"; fast_pattern:24,20; http_header; content:"login="; http_client_body; depth:6; content:"$pass="; http_client_body; within:50; threshold: type both, count 5, seconds 60, track by_src; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:attempted-dos; sid:2017722; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.BlackRev Botnet Command Request CnC Beacon"; flow:established,to_server; content:"/gate.php?cmd="; fast_pattern:only; http_uri; pcre:"/\/gate\.php\?cmd=(?:get(?:installconfig\|exe)\|urls)$/U"; content:!"Referer\|3a 20\|"; http_header; reference:url,www.btpro.net/blog/2013/05/black-revolution-botnet-trojan/; classtype:trojan-activity; sid:2017723; rev:1;) + +# +alert icmp any any -> any any (msg:"ET TROJAN PWS Win32/Lmir.BMQ checkin"; dsize:19; content:"This\|27\|s\|20\|Ping\|20\|Packet\|21\|"; reference:md5,0fe0cf9a2d8c3ccd1c92acbb81ff6343; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS%3AWin32%2FLmir.BMQ; classtype:trojan-activity; sid:2017724; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sisproc update"; flow:to_server,established; content:"/poll/update.txt"; http_uri; content:!"Referer\|3A 20\|"; http_header; reference:md5,f8b3fb4e5f8f1b3bd643e58f1015f9fc; classtype:trojan-activity; sid:2017725; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader (P2P Zeus dropper UA)"; flow:to_server,established; content:"User-Agent\|3a 20\|Updates downloader"; classtype:trojan-activity; sid:2017726; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET TROJAN Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"\|3a 21 3b 2e\|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})(?:[A-Za-z0-9\+\/]{2}==\|[A-Za-z0-9\+\/]{3}=\|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN Trojan.Dropper.Win32.Dapato.braa.AMN CnC traffic"; flow:to_server,established; content:"9002"; depth:4; reference:md5,6ef66c2336b2b5aaa697c2d0ab2b66e2; classtype:trojan-activity; sid:2017728; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler Landing Nov 18 2013"; flow:established,from_server; file_data; content:"<title>"; content:"soft apple."; fast_pattern; distance:0; content:"</title>"; distance:0; content:"AgControl.AgControl"; nocase; content:"Math.floor"; nocase; classtype:trojan-activity; sid:2017729; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; content:"/post.php?referanceMod="; http_uri; nocase; content:"java"; http_uri; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Styx EK SilverLight Payload"; flow:established,to_server; urilen:19; content:"/1"; depth:2; http_uri; fast_pattern; pcre:"/^\/1[a-z0-9]{13}\.[a-z]{3}$/U"; content:!"Referer\|3a\|"; http_header; content:!"User-Agent\|3a\|"; http_header; content:"\|0d 0a 0d 0a\|"; classtype:trojan-activity; sid:2017731; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Styx/Angler SilverLight Exploit"; flow:established,from_server; file_data; content:"PK"; within:2; content:"ababbss.dll"; fast_pattern; content:"AppManifest.xaml"; classtype:trojan-activity; sid:2017732; rev:6;) + +# +##alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET DELETED Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"\|2a 86 48 86 f7 0d 01 09 01\|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+\|[qwerty]+\|[zxcvbn]+)\@([asdfgh]+\|[qwerty]+\|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; classtype:trojan-activity; sid:2017733; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER WEBSHELL pwn.jsp shell"; flow:established,to_server; content:"/pwn.jsp?"; http_uri; nocase; fast_pattern:only; content:"cmd="; http_uri; nocase; reference:url,nickhumphreyit.blogspot.co.il/2013/10/jboss-42-hacked-by-pwnjsp.html; reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; classtype:attempted-admin; sid:2017734; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS WhiteLotus EK PluginDetect Nov 20 2013"; flow:established,from_server; file_data; content:"makeid"; pcre:"/^[\r\n\s]?\(/R"; content:"replaceIt"; pcre:"/^[\r\n\s]?\(/R"; content:".getVersion"; nocase; content:"Silverlight"; nocase; content:"Java"; nocase; content:"Reader"; nocase; content:"Flash"; nocase; classtype:trojan-activity; sid:2017735; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 1"; flow:established,from_server; file_data; content:"a0dmblxmL5FmcyFmLlxWe0NHazFGZ"; classtype:trojan-activity; sid:2017736; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 2"; flow:established,from_server; file_data; content:"gGdn5WZs5SehJnch5SZslHdzh2chR"; classtype:trojan-activity; sid:2017737; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible WhiteLotus EK 2013-2551 Exploit 3"; flow:established,from_server; file_data; content:"oR3ZuVGbukXYyJXYuUGb5R3coNXYk"; classtype:trojan-activity; sid:2017738; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible WhiteLotus Java Payload"; flow:established,to_server; content:"Java/1."; http_header; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[^\/\.]+$/U"; classtype:trojan-activity; sid:2017739; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Nov 21 2013"; flow:established,from_server; file_data; content:"object\|22\|.substring(15)"; content:"\|22\|"; distance:-37; within:1; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017740; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kryptik Check-in"; flow:established,to_server; content:".php?"; http_uri; nocase; content:"&bot_id="; http_uri; nocase; fast_pattern:only; content:!"Referer\|3a\|"; http_header; pcre:"/\.php\?(q\|name)=/Ui"; classtype:attempted-user; sid:2017741; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Solarbot Check-in"; flow:established,to_server; content:"POST"; http_method; content:!"Referer\|3a\|"; http_header; content:"v="; depth:2; http_client_body; content:"&u="; http_client_body; content:"&w="; http_client_body; content:"&c="; http_client_body; pcre:"/&s=\{?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}?(?:&\|$)/Pi"; classtype:trojan-activity; sid:2017742; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible WhiteLotus IE Payload"; flow:established,to_server; content:"GET"; http_method; content:"/?"; depth:2; http_uri; fast_pattern; content:" MSIE "; http_header; content:!"Referer\|3a\|"; http_header; content:"\|0d 0a 0d 0a\|"; pcre:"/^\/\?[A-Za-z0-9]+=(?P<v1>[^&]+)&(?P=v1)=[A-Za-z0-9]+$/U"; classtype:trojan-activity; sid:2017743; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS StyX EK Payload Cookie"; flow:established,to_server; content:"Cookie\|3a 20\|fGGhTasdas=http"; classtype:trojan-activity; sid:2017744; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Media Player malware binary requested"; flow:established,to_server; content:"&filename=Media Player "; http_uri; content:".exe"; http_uri; classtype:trojan-activity; sid:2017745; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Downloader Win32.Genome.AV"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/other.txt"; fast_pattern; http_uri; content:"User-Agent\|3a 20\|NSIS_Inetc\|20\|(Mozilla)"; http_header; content:!"\|0d 0a\|Referer\|3a\|"; http_header; content:!"\|0d 0a\|Accept"; http_header; flowbits:set,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017746; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Trojan-Downloader Win32.Genome.AV server response"; flow:to_client,established; file_data; content:"\|5b\|Soft"; pcre:"/^\d+?\x5d/R"; content:"SoftTitle="; distance:0; flowbits:isset,et.GENOME.AV; reference:md5,d14314ceb74c8c1a8e1e8ca368d75501; classtype:trojan-activity; sid:2017747; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java Downloading Archive flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017748; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Java Downloading Class flowbit no alert"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"\|CA FE BA BE\|"; within:4; flowbits:set,et.JavaArchiveOrClass; flowbits:noalert; classtype:misc-activity; sid:2017749; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible PHISH Remax - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"/aol.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017750; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible PHISH Remax - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"/yahoo.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017751; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible PHISH Remax - GMail Creds"; flow:established,to_server; content:"POST"; http_method; content:"/gmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017752; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible PHISH Remax - Hotmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"/hotmail.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017753; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible PHISH Remax - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"/other.php"; http_uri; fast_pattern; content:"Sign+In"; http_client_body; nocase; classtype:bad-unknown; sid:2017754; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Goon EK Java Payload"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; content:".mp3"; http_uri; pcre:"/\/[0-2][0-9][0-5][0-9][0-5][0-9]\.mp3$/U"; classtype:trojan-activity; sid:2017755; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Goon EK Jar Download"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"Goon.class"; classtype:trojan-activity; sid:2017756; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 1"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"amF2YS9sYW5nL1J1bnRpbW"; classtype:trojan-activity; sid:2017757; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 2"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"phdmEvbGFuZy9SdW50aW1l"; classtype:trojan-activity; sid:2017758; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Lang Runtime in B64 Observed in Goon EK 3"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"qYXZhL2xhbmcvUnVudGltZ"; classtype:trojan-activity; sid:2017759; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Accessing Security Manager"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"etSecurityManager"; classtype:bad-unknown; sid:2017760; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class file Importing Protection Domain"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/security/ProtectionDomain"; classtype:bad-unknown; sid:2017761; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Accessing Importing glassfish"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/gmbal"; classtype:bad-unknown; sid:2017762; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class B64 encoded class"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"yv66v"; classtype:bad-unknown; sid:2017763; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing jmx mbeanserver"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"jmx/mbeanserver"; classtype:bad-unknown; sid:2017764; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing mbeanserver Introspector"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"mbeanserver/Introspector"; classtype:bad-unknown; sid:2017765; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing glassfish external statistics impl"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"glassfish/external/statistics/impl"; classtype:bad-unknown; sid:2017766; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing management MBeanServer"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"management/MBeanServer"; classtype:bad-unknown; sid:2017767; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Mozilla JS Class Creation"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"sun.org.mozilla.javascript.internal.Context"; content:"sun.org.mozilla.javascript.internal.GeneratedClassLoader"; classtype:trojan-activity; sid:2017768; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Hex Encoded Class file"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"CAFEBABE"; classtype:bad-unknown; sid:2017769; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing tracing Provider Factory"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"tracing/ProviderFactory"; classtype:bad-unknown; sid:2017770; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classes used in awt exploits"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image"; content:"Raster"; content:"SampleModel"; classtype:bad-unknown; sid:2017771; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2471/2472/2473"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/SinglePixelPacked"; classtype:bad-unknown; sid:2017772; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS Java Request With Uncompressed JAR/Class Importing Classe used in CVE-2013-2465/2463"; flow:established,from_server; flowbits:isset,et.JavaArchiveOrClass; file_data; content:"java/awt/image/MultiPixelPacked"; classtype:bad-unknown; sid:2017773; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013"; flow:established,to_server; content:".htm"; http_uri; fast_pattern:only; pcre:"/^\/\d{8,11}\/1[34]\d{8}\.htm$/U"; pcre:"/^Referer\x3a[^\r\n]+?\/[a-f0-9A-Z\_\-]{32,}\.html(?:\x3a\d{1,5})?\r$/Hm"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017774; rev:8;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Darkness DDoS HTTP Target/EXE"; flow:from_server,established; file_data; content:"Z"; within:1; content:"PWh0dHA"; distance:2; within:9; pcre:"/^[a-z0-9\+\/]+={0,2}$/Rsi"; classtype:trojan-activity; sid:2017775; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Darkness DDoS Common Intial Check-in Response wtf"; flow:from_server,established; file_data; content:"d3Rm"; within:4; pcre:"/^(?:\r\n\|$)/R"; reference:md5,a9af388f5a627aa66c34074ef45db1b7; classtype:trojan-activity; sid:2017776; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access takeCameraPicture"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:".takeCameraPicture"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017777; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access getGalleryImage"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"getGalleryImage"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017778; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access makeCall"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"makeCall"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017779; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access postToSocial"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"postToSocial"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017780; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendMail"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendMail"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017781; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access sendSMS"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"sendSMS"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017782; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Android InMobi SDK SideDoor Access registerMicListener"; flow:from_server,established; file_data; content:"utilityController"; nocase; content:"registerMicListener"; nocase; reference:url,www.fireeye.com/blog/technical/vulnerabilities/2013/11/inmobi-another-vulnaggressive-adware-opens-billions-of-javascript-sidedoors-on-android-devices.html; classtype:trojan-activity; sid:2017783; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Checkin Generic 2"; flow:established,to_server; content:"Mozilla/4.0 (compatible\|3b\| MSIE 7.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|"; fast_pattern:27,20; content:!"\|0d 0a\|Accept\|3a\|"; content:!"\|0d 0a\|Referer\|3a\|"; content:"GET "; depth:4; pcre:"/^\/[A-Za-z]{2,}\/\?[a-z]\sHTTP\/1\.[0-1]\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a\x20[^\r\n]+?(?:\x3a(443\|8080\|900[0-9]))?\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?\r\n$/R"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2017784; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK IE Exploit CVE-2013-2551"; flow:from_server,established; file_data; content:"#default#VML"; nocase; fast_pattern:only; content:"stroke"; nocase; content:"visibility"; nocase; content:"hidden"; nocase; distance:0; content:"Array"; nocase; pcre:"/^[\r\n\s]?\([\r\n\s]?[\x22\x27]f([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?r([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?o([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?m([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?C([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?h([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?a([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?r([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?c([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?o([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?d([\x22\x27][\r\n\s]?,[\r\n\s][\x22\x27])?e[\x22\x27]/Ri"; classtype:trojan-activity; sid:2017785; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SNET EK Activity Nov 27 2013"; flow:established,to_server; content:"?src="; content:"request\|3a 20\|microsoft_update\|0d 0a\|"; pcre:"/^[^\s]?\s?\/[^\r\n\s]?\?src=/i"; classtype:trojan-activity; sid:2017786; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.KorBanker Fake Banking App Install CnC Beacon"; flow:established,to_server; content:"/send_sim_no.php"; http_uri; content:"mobile_no="; http_client_body; depth:16; content:"&datetime="; http_client_body; within:30; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017787; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.KorBanker Sucessful Fake Banking App Install CnC Server Acknowledgement"; flow:established,to_client; file_data; content:"\|7b 22\|success\|22 3A\|1,\|22\|message\|22 3A 22\|Product successfully updated.\|22\|}"; within:55; reference:url,www.fireeye.com/blog/technical/targeted-attack/2013/11/dissecting-android-korbanker.html; reference:md5,a68bbfe91fab666daaf2c070db00022f; reference:md5,a68bbfe91fab666daaf2c070db00022f; classtype:trojan-activity; sid:2017788; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JJEncode Encoded Script Inside of PDF Likely Evil"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"\|2c 24 24 24 24 3a 28 21 5b 5d 2b 22 22 29 5b\|"; reference:md5,6776bda19a3a8ed4c2870c34279dbaa9; classtype:trojan-activity; sid:2017789; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Adobe PDF CVE-2013-0640"; flow:from_server,established; flowbits:isset,ET.pdf.in.http; file_data; content:".keep.previous"; nocase; fast_pattern:only; content:".resolveNode"; nocase; pcre:"/^[\r\n\s]?\\?$.+?\\?$\.keep\.previous[\r\n\s]?=[\r\n\s]?[\x22\x27]contentArea/Rsi"; reference:url,www.exploit-db.com/exploits/29881/; classtype:attempted-user; sid:2017790; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Polling/Check-in/Compromise from fake DHL mailing campaign"; flow:established,to_server; content:"/golden/index.php"; http_uri; fast_pattern:only; content:" MSIE 7.0"; http_header; content:"q=0.1\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2017791; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Hostile fake DHL mailing campaign"; flow:established,to_server; content:"but no one bell unresponsive"; content:"The best regard DHL.com."; content:"filename=Notice"; classtype:trojan-activity; sid:2017792; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HiMan EK - Payload Requested"; flow:established,to_server; content:".php?e="; http_uri; content:"&ver="; http_uri; distance:0; classtype:trojan-activity; sid:2017793; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK - Flash Exploit"; flow:established,to_client; file_data; content:"function Flash_Exploit() {"; classtype:trojan-activity; sid:2017794; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK - Payload Downloaded - EXE in ZIP Downloaded by Java"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; classtype:trojan-activity; sid:2017795; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK - Landing Page"; flow:established,to_client; file_data; content:"687474703a2f2f"; fast_pattern:only; content:"<applet"; nocase; pcre:"/^((?!<\/applet>).)+?[\x22\x27]687474703a2f2f/Rsi"; classtype:trojan-activity; sid:2017796; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HiMan EK - TDS - POST hyt="; flow:established,to_server; content:"POST"; http_method; content:"hyt="; http_client_body; depth:4; content:"&vre="; http_client_body; classtype:trojan-activity; sid:2017797; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; content:"User-Agent\|3a\| Zollard"; http_header; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PeopleSoft Portal Command with Default Creds"; flow:to_server,established; content:"cmd="; http_uri; nocase; content:"pwd=dayoff"; http_uri; nocase; fast_pattern:only; pcre:"/[&?]pwd=dayoff(?:&\|$)/Ui"; pcre:"/[&?]cmd=/Ui"; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017801; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SAP Possible CTC Auth/HTTP Verb Bypass Attempt"; flow:to_server,established; content:"HEAD"; nocase; http_method; content:"/ctc/"; http_uri; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017802; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=system"; http_client_body; nocase; content:"j_password=Passw0rd"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017803; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible WebLogic Admin Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=system"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-admin; sid:2017804; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible WebLogic Monitor Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=monitor"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017805; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible WebLogic Operator Login With Default Creds"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/console/j_security_check"; http_uri; nocase; content:"j_username=operator"; http_client_body; content:"j_password=password"; http_client_body; reference:url,media.blackhat.com/us-13/US-13-Polyakov-Practical-Pentesting-of-ERPs-and-Business-Applications-Slides.pdf; classtype:attempted-user; sid:2017806; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible MySQL SQLi User-Dump Attempt"; flow:to_server,established; content:"select"; nocase; http_uri; content:"mysql.user"; http_uri; nocase; distance:1; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017807; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible MySQL SQLi Attempt Information Schema Access"; flow:to_server,established; content:"information_schema"; nocase; http_uri; reference:url,pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet; classtype:web-application-attack; sid:2017808; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK XOR'd Payload"; flow:from_server,established; file_data; content:"\|7c 68 a3 34 36 36 37 38\|"; within:8; classtype:trojan-activity; sid:2017809; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"window.misc_addons_detect.hasSilverlight("; classtype:trojan-activity; sid:2017810; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Magnitude EK (formerly Popads) Java Jar Download"; flow:established,to_server; urilen:>32; content:"Java/1."; http_header; pcre:"/^\/(?:[\/_]?[a-f0-9][\/_]?){32}$/U"; content:"_"; http_uri; content:"/"; http_uri; offset:1; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017811; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack URI with Windows Plugin-Detect Data"; flow:established,to_server; content:".php?id="; http_uri; content:"7c57696e646f7773"; http_uri; pcre:"/\.php\?id=[a-f0-9]+$/U"; classtype:trojan-activity; sid:2017812; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack SilverLight Payload"; flow:established,to_server; content:"/loadsilver.php"; http_uri; content:!"Referer\|3a\|"; http_header; pcre:"/User-Agent\x3a[^\r\n]?\/loadsilver\.php/Hm"; classtype:trojan-activity; sid:2017813; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Safe/CritX/FlashPack URI Struct .php?id=Hex"; flow:established,to_server; content:".php?id="; http_uri; pcre:"/\/(?:java(?:db\|im\|rh)\|silver\|flash\|msie)\.php\?id=/U"; classtype:trojan-activity; sid:2017814; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Safe/CritX/FlashPack Edwards Packed PluginDetect"; flow:established,to_client; file_data; content:"\|7C\|PluginDetect\|7C\|"; classtype:trojan-activity; sid:2017815; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Possible Upatre Downloader SSL certificate"; flow:established,from_server; content:"\|2a 86 48 86 f7 0d 01 09 01\|"; pcre:"/^.{2}(?P<fake_email>([asdfgh]+\|[qwerty]+\|[zxcvbn]+)\@([asdfgh]+\|[qwerty]+\|[zxcvbn]+)\.).+?\x2a\x86\x48\x86\xf7\x0d\x01\x09\x01.{2}(?P=fake_email)/Rs"; reference:url,blogs.technet.com/b/mmpc/archive/2013/10/31/upatre-emerging-up-d-at-er-in-the-wild.aspx; classtype:trojan-activity; sid:2017816; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Landing Page Dec 09 2013"; flow:established,from_server; file_data; content:"<ul style=\|22\|display\|3a\| none\|3b 22\|>"; nocase; fast_pattern:2,20; content:"<li"; nocase; pcre:"/^[^>]?\>/R"; content:!"</li>"; nocase; within:500; content:"f"; within:100; pcre:"/^(?P<sep>.{1,10})u(?P=sep)n(?P=sep)c(?P=sep)t(?P=sep)i(?P=sep)o(?P=sep)n(?P=sep)\s/R"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017817; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Zbot EXE filename Dec 09 2013"; flow:established,to_server; content:"/bc.exe"; http_uri; content:!"Referer\|3a\|"; http_header; classtype:trojan-activity; sid:2017818; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx EK iexp.html"; flow:established,to_server; content:"/iexp.html"; http_uri; content:!"&"; http_uri; classtype:trojan-activity; sid:2017819; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER IIS ISN BackDoor Command GetLog"; flow:established,to_server; content:"isn_getlog"; http_uri; nocase; fast_pattern:only; pcre:"/[?&]isn_getlog/Ui"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017820; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER IIS ISN BackDoor Command Delete Log"; flow:established,to_server; content:"isn_logdel"; http_uri; nocase; fast_pattern:only; pcre:"/[?&]isn_logdel/Ui"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017821; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER IIS ISN BackDoor Command Get Logpath"; flow:established,to_server; content:"isn_logpath"; http_uri; nocase; fast_pattern:only; pcre:"/[?&]isn_logpath/Ui"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module.html; classtype:trojan-activity; sid:2017822; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS heapSpray in jjencode"; flow:from_server,established; file_data; content:".__$+"; pcre:"/^(?P<sep>((?!\.\$\_\$\+).){1,10})\.\$\_\$\+(?P=sep)\.___\+(?P=sep)\.\$\$\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\_\$\_\+(?P=sep)\.\_\$\$\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\_\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\_\+(?P=sep)\.\_\$\_\+(?P=sep)\.\$\_\$\_\+\"\\\"\+(?P=sep)\.\_\_\$\+(?P=sep)\.\$\$\$\+(?P=sep)\.\_\_\$/R"; reference:url,www.invincea.com/2013/12/e-k-i-a-adobe-reader-exploit-cve-2013-3346-kernel-ndproxy-sys-zero-day-eop/; classtype:trojan-activity; sid:2017823; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Neutrino Landing Page Dec 09 2013"; flow:from_server,established; file_data; content:".charCodeAt("; fast_pattern; pcre:"/^[^\)]+\)[\r\n\s]?\^[\r\n\s]?[\w\.\_\-]?\.charCodeAt$[^$]+\)[\r\n\s]?\,/Rsi"; content:"Math.floor"; content:"$(document).ready"; content:"decodeURIComponent"; pcre:"/^[\r\n\s]?\,/Rsi"; content:"+= \|22 22\|"; content:"+= \|22 22\|"; distance:0; classtype:trojan-activity; sid:2017824; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; content:"User-Agent\|3A 20\|Zollard\|0D 0A\|"; http_header; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SPL2 EK Landing Dec 09 2013"; flow:from_server,established; file_data; content:"$.getVersion(\|22\|Silverlight\|22\|)"; content:"$.getVersion(\|22\|Java\|22\|)"; content:"calcMD5(encode_utf8(location"; classtype:trojan-activity; sid:2017826; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK Dec 09 2013 Java Request"; flow:established,to_server; content:"Java/1."; http_header; content:".html%3fjar"; http_raw_uri; pcre:"/\.html\?jar$/U"; classtype:trojan-activity; sid:2017827; rev:2;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Scanning Message"; flow:established,to_server; content:"PRIVMSG\|20\|"; content:"Scanning"; fast_pattern; within:50; content:"for open ports."; within:40; classtype:trojan-activity; sid:2017828; rev:2;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC Open Ports Message"; flow:established,to_server; content:"PRIVMSG\|20\|"; content:"Open port(s)\|3A\| "; fast_pattern; within:50; classtype:trojan-activity; sid:2017829; rev:2;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Perl/Mambo.WebShell Spreader IRC No Open Ports Message"; flow:established,to_server; content:"PRIVMSG\|20\|"; content:"No open ports found"; fast_pattern; within:50; classtype:trojan-activity; sid:2017830; rev:1;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attacking Message"; flow:established,to_server; content:"PRIVMSG\|20\|"; content:"Attacking"; within:50; fast_pattern; classtype:trojan-activity; sid:2017831; rev:2;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Attack Done Message"; flow:established,to_server; content:"PRIVMSG\|20\|"; content:"Attack"; fast_pattern; within:50; content:"done"; within:8; classtype:trojan-activity; sid:2017832; rev:1;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS PerlBot Version Message"; flow:established,to_server; content:"PRIVMSG\|20\|"; content:"perlb0t ver"; within:50; classtype:trojan-activity; sid:2017833; rev:2;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Mambo Scanning Message"; flow:established,to_server; content:"PRIVMSG\|20\|"; content:"Scanning for unpatched mambo for"; within:80; classtype:trojan-activity; sid:2017834; rev:2;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Mambo.PerlBot Spreader IRC DDOS Exploited Message"; flow:established,to_server; content:"PRIVMSG\|20\|"; content:"Exploited"; within:50; content:"boxes in"; within:30; classtype:trojan-activity; sid:2017835; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer\|3a\|"; http_header; content:!"Accept-"; http_header; content:"Accept\|3a\| /\|0d 0a\|Connection\|3a\| Close\|0d 0a\|"; http_header; depth:32; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]?\sMSIE\s/Hm"; classtype:trojan-activity; sid:2017836; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Zbot Activity Common Download Struct"; flow:to_server,established; content:".bin"; fast_pattern; http_uri; pcre:"/\.bin$/U"; content:!"Referer\|3a\|"; http_header; content:!"Accept-"; http_header; content:"User-Agent\|3a 20\|"; http_header; depth:12; content:" MSIE "; http_header; pcre:"/^User-Agent\x3a[^\r\n]?\sMSIE\s/H"; classtype:trojan-activity; sid:2017837; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Connection To Known Sinkhole Domain sinkdns.org"; flow:to_server,established; content:".sinkdns.org"; http_header; nocase; pcre:"/^Host\x3a[^\r\n]?\.sinkdns\.org(\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017838; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vawtrak/NeverQuest Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:!"Referer\|3a\|"; http_header; content:"id="; depth:3; http_client_body; content:"&info="; http_client_body; pcre:"/^id=[A-Z0-9]+?&info=[A-Z0-9]+?$/P"; classtype:trojan-activity; sid:2017839; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit - JAR Exploit"; flow:to_server,established; urilen:>300; content:"Java/1."; http_header; content:".jar"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.jar$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:trojan-activity; sid:2017840; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit - EOT Exploit"; flow:to_server,established; urilen:>300; content:".eot"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.eot$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:trojan-activity; sid:2017844; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Styx Exploit Kit - HTML"; flow:to_server,established; urilen:>300; content:".htm"; fast_pattern:only; http_uri; pcre:"/^\/[a-zA-Z0-9_\x2f-]{300,}\.html?$/U"; content:"/"; http_uri; offset:1; content:"_"; http_uri; offset:1; content:"-"; offset:1; http_uri; classtype:trojan-activity; sid:2017841; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS winhost(32\|64).exe in URI"; flow:established,to_server; content:"GET"; http_method; content:"/winhost"; http_uri; nocase; fast_pattern:only; pcre:"/\/winhost(?:32\|64)\.(exe\|pack)$/Ui"; classtype:trojan-activity; sid:2017842; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS pony.exe in URI"; flow:established,to_server; content:"GET"; http_method; content:"/pony."; http_uri; nocase; fast_pattern:only; pcre:"/\/pony\.(exe\|pack)$/Ui"; classtype:trojan-activity; sid:2017843; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY FakeUpdate - URI - /styles/javaupdate.css"; flow:established,to_server; content:"/styles/javaupdate.css"; http_uri; classtype:trojan-activity; sid:2017845; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY FakeUpdate - URI - Payload Requested"; flow:established,to_server; content:"DDL Java Installer.php?dv1="; http_uri; classtype:trojan-activity; sid:2017846; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Browlock Landing Page URI Struct"; flow:to_server,established; content:"/?flow_id"; http_uri; content:"/case_id="; http_uri; fast_pattern:only; pcre:"/\/\?flow_id=\d+?&\d+?=\d+?\/case_id=\d+$/U"; classtype:trojan-activity; sid:2017847; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 EK SilverLight"; flow:to_server,established; content:".html?sv="; http_uri; fast_pattern:only; pcre:"/\.html\?sv=[1-5](\,\d+?){1,3}$/U"; classtype:trojan-activity; sid:2017848; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2013-2551 As seen in SPL2 EK"; flow:from_server,established; file_data; content:".dashstyle.array.length"; nocase; pcre:"/^[\r\n\s]?=[\r\n\s]?(?:-[\r\n\s]?\d\|0[\r\n\s]?-)/Ri"; classtype:trojan-activity; sid:2017849; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; pcre:"/\.html\?id\d?=[a-f0-9]{32}$/U"; pcre:"/^GET\s[^\r\n]?(?P<name>\/[^\.\/]+\.html)\?id\d?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]?(?P=name)(:?\d{1,5})?\r\n/s"; classtype:trojan-activity; sid:2017850; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HiMan EK Exploit URI Struct"; flow:to_server,established; content:"=687474703a2f2f"; http_uri; content:".php?"; http_uri; pcre:"/\/(?:d\|xie\|fla)\.php\?[a-z]+?=687474703a2f2f/U"; classtype:trojan-activity; sid:2017851; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HiMan EK Secondary Landing"; flow:from_server,established; file_data; content:"<body onload=\|27\|Exploit()\|3b 27\|>"; fast_pattern:6,20; content:"\|3a\|stroke"; nocase; classtype:trojan-activity; sid:2017852; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress OptimizePress Arbitratry File Upload"; flow:to_server,established; content:"POST"; http_method; content:"/lib/admin/media-upload"; http_uri; pcre:"/\/lib\/admin\/media-upload(?:-lncthumb\|-sq_button)?\.php/Ui"; content:"<?"; http_client_body; content:".php"; http_client_body; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017853; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHP script in OptimizePress Upload Directory Possible WebShell Access"; flow:to_server,established; content:"/wp-content/uploads/optpress/images_"; http_uri; fast_pattern:16,20; content:".php"; http_uri; pcre:"/\/wp-content\/uploads\/optpress\/images\_(?:comingsoon\|lncthumbs\|optbuttons)\/.?\.php/Ui"; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017854; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.MovieStar.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/p3oahin/"; depth:9; http_uri; content:".aspx?r="; distance:0; http_uri; content:"&a="; distance:0; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017855; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.Snake.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/ke3chang/Directx.aspx?r="; depth:25; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017856; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.MyWeb.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/MYWEB/SearchX.ASpX?id1="; depth:24; http_uri; content:"&id2="; distance:0; http_uri; content:"&id3="; distance:0; http_uri; content:"&id4="; distance:0; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017857; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.BMW.APT Campaign CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:35<>37; content:".aspx?Random="; http_uri; fast_pattern:only; pcre:"/^\x2F(?:acheb\|bajree\|cyacrin\|dauber\|eaves)\x2Easpx\x3FRandom\x3D[a-z]{16}$/Ui"; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017858; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.Dream.APT Campaign CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"/shfam9y/"; depth:9; http_uri; content:".aspx?r="; distance:0; http_uri; content:"&a="; distance:0; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,www.fireeye.com/blog/technical/malware-research/2013/12/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs.html; classtype:trojan-activity; sid:2017859; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ke3chang.MyWeb.APT Eourdegh Campaign CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/Eourdegh/Swdfrp.ASpX?id1="; depth:26; http_uri; content:"&id2="; distance:0; http_uri; content:"&id3="; distance:0; http_uri; content:"&id4="; distance:0; http_uri; reference:url,www.fireeye.com/resources/pdfs/fireeye-operation-ke3chang.pdf; reference:url,jsunpack.jeek.org/dec/go?report=e5f9dae61673a75db6dcb2475cb6ea8f22f66e9a; classtype:trojan-activity; sid:2017860; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Grandsoft/SofosFO EK Java Payload URI Struct"; flow:established,to_server; content:"Java/1."; http_header; fast_pattern:only; pcre:"/^\/\d{4,5}\/\d{7}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017861; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack PDF Exploit"; flow:established,to_server; content:"/pdf.php?pdf="; http_uri; fast_pattern:only; content:"type="; http_uri; pcre:"/\/pdf\.php\?pdf=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017862; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack Java Exploit"; flow:established,to_server; content:"Java/1."; http_header; content:"/java.php?eid="; http_uri; fast_pattern:only; content:"type="; http_uri; pcre:"/\/java\.php\?eid=[a-f0-9]{32}&/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017863; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack HCP Exploit"; flow:established,to_server; content:"/hcp.php?"; http_uri; fast_pattern:only; content:"type="; nocase; http_uri; content:"o="; nocase; http_uri; content:"b="; nocase; http_uri; pcre:"/[&?]type=\d+(?:$\|&)/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017864; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack Jar 1 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_header; content:"/cp.jar"; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017865; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimePack Jar 2 Dec 16 2013"; flow:established,to_server; content:"Java/1."; http_header; content:"/serial.jar"; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017866; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Liftoh.Downloader Feed404 CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/feed404/mysfeeds.php"; http_uri; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017867; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Liftoh.Downloader Images CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/images/gx.php"; http_uri; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017868; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Liftoh.Downloader Final.html Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"/dl/"; http_uri; content:"/final.html"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017869; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Liftoh.Downloader Get Final Payload Request"; flow:established,to_server; content:"/get/"; http_uri; content:"/final"; http_uri; content:"Cookie\|3A\| ip="; http_header; pcre:"/Cookie\x3A\x20ip\x3D[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}\x2E[0-9]{1,3}/H"; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/spam-campaign-delivers-liftoh-downloader/; classtype:trojan-activity; sid:2017870; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Subscribe/Authorize Stratum Protocol Message"; flow:established,to_server; content:"{\|22\|id\|22\|"; depth:10; content:"\|22\|method\|22 3A\| \|22\|mining."; within:100; content:"\|22\|params\|22\|"; within:50; pcre:"/\x22mining\x2E(subscribe\|authorize)\x22/"; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017871; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Initial Connection Server Response"; flow:established,to_client; content:"\|22\|result\|22 3A\| [[\|22\|mining.notify\|22\|"; depth:120; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017872; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Stratum Protocol Mining.Notify Work Server Response"; flow:established,to_client; content:"\|22\|params\|22 3A\| [\|22\|"; depth:120; content:"\|22\|method\|22 3A\| \|22\|mining.notify\|22\|"; distance:0; reference:url,research.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; reference:url,www.btcguild.com/new_protocol.php; reference:url,mining.bitcoin.cz/stratum-mining; classtype:trojan-activity; sid:2017873; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/BitCoinMiner Fake Flash Player Distribution Campaign - December 2013"; flow:established,to_server; content:"/blam/flashplayerv"; nocase; http_uri; reference:url,blog.malwarebytes.org/fraud-scam/2013/12/fake-flash-player-wants-to-go-mining/; reference:url,esearch.zscaler.com/2013/12/bitcoin-mining-operation-seen-across.html; classtype:trojan-activity; sid:2017874; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Coldfusion cfcexplorer Directory Traversal"; flow:established,to_server; content:"/cfcexplorer.cfc"; nocase; http_uri; fast_pattern:only; content:"path="; nocase; pcre:"/^[^&]?(?:%(?:25)?2e(?:%(?:(?:25)?2e(?:%(?:25)?5c\|\/\|\\)\|2e(?:25)?%(?:25)?2f)\|\.(?:%(?:25)?(?:2f\|5c)\|\/\|\\))\|\.(?:%(?:25)?2e(?:%(?:25)?(?:2f\|5c)\|\/\|\\)\|\.(?:%(?:25)?(?:2f\|5c)\|\/\|\\)))/Ri"; reference:url,blog.spiderlabs.com/2013/12/the-curious-case-of-the-malicious-iis-module-prologue-method-of-entry-analysis.html; classtype:attempted-user; sid:2017875; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 5"; flow:to_server,established; dsize:>11; content:"\|78 9c\|"; fast_pattern:only; byte_jump:4,0,little,post_offset 1; isdataat:!1,relative; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; pcre:"/^.{8}[\x20-\x7e]+?[\x00]?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017876; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 6"; flow:to_server,established; dsize:>11; content:"\|78 9c\|"; fast_pattern:only; byte_extract:4,0,compressed_size,little; byte_test:4,>,compressed_size,4,little; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{8}[\x20-\x7e]+?[\x00]?\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2017877; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Connection"; flow:established,to_server; content:"{\|22\|id\|22 3A\|"; depth:6; content:"\|22\|method\|22 3A\| \|22\|getblocktemplate\|22\|"; within:40; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:trojan-activity; sid:2017878; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY W32/BitCoinMiner.MultiThreat Getblocktemplate Protocol Server Coinbasetxn Begin Mining Response"; flow:established,to_client; content:"\|22\|result\|22 3A\| {"; depth:50; content:"\|22\|coinbasetxn\|22 3A\| {"; within:30; content:"\|22\|data\|22 3A\| \|22\|"; within:30; reference:url,en.bitcoin.it/wiki/Getblocktemplate; classtype:trojan-activity; sid:2017879; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Linkular.Adware Sucessful Install Beacon"; flow:established,to_server; content:"/api/success/?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&cv="; http_uri; content:"&context="; http_uri; content:"User-Agent\|3A\| NSIS_Inetc (Mozilla)"; http_header; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017880; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; content:"/downloads/icons.dat"; fast_pattern:only; http_uri; content:"User-Agent\|3A\| NSIS_Inetc (Mozilla)"; http_header; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017881; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8983 (msg:"ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack"; flow:to_server,established; content:"../../"; fast_pattern:only; content:"&wt=xslt"; nocase; content:"&tr="; reference:cve,CVE-2013-6397; reference:url,www.agarri.fr/kom/archives/2013/11/27/compromising_an_unreachable_solr_server_with_cve-2013-6397/index.html; classtype:attempted-user; sid:2017882; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Ferret DDOS Bot CnC Beacon"; flow:established,to_server; urilen:14; content:"POST"; http_method; content:"/hor/input.php"; http_uri; content:"User-Agent\|3a 20\|Mozilla Gecko Firefox 25\|0d 0a\|"; fast_pattern:12,24; http_header; content:"m="; http_client_body; depth:2; content:"&h="; http_client_body; within:50; reference:md5,c49e3411294521d63c7cc28e08cf8a77; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:trojan-activity; sid:2017883; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - ZIP file with .exe filename inside (Inbound)"; flow:established,to_server; content:"\|0D 0A 0D 0A\|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG\|LmV4\|uZXhl)/R"; classtype:bad-unknown; sid:2017884; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - RAR file with .exe filename inside"; flow:established; content:"\|0D 0A 0D 0A\|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(5leG\|LmV4\|uZXhl)/R"; classtype:bad-unknown; sid:2017885; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - EXE SMTP Attachment"; flow:established; content:"\|0D 0A 0D 0A\|TV"; content:"AAAAAAAAAAAAAAAA"; within:200; classtype:bad-unknown; sid:2017886; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - ZIP file with .com filename inside"; flow:established; content:"\|0D 0A 0D 0A\|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t\|5jb2\|LmNvb)/R"; classtype:bad-unknown; sid:2017887; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - RAR file with .com filename inside"; flow:established; content:"\|0D 0A 0D 0A\|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(uY29t\|5jb2\|LmNvb)/R"; classtype:bad-unknown; sid:2017888; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - ZIP file with .scr filename inside"; flow:established; content:"\|0D 0A 0D 0A\|UEsDB"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc\|Euc2Ny\|S5zY3)/R"; classtype:bad-unknown; sid:2017889; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS [25,587] (msg:"ET INFO SUSPICIOUS SMTP EXE - RAR file with .scr filename inside"; flow:established; content:"\|0D 0A 0D 0A\|UmFyI"; pcre:"/^[A-Za-z0-9\/\+\x0D\x0A]+?(LnNjc\|Euc2Ny\|S5zY3)/R"; classtype:bad-unknown; sid:2017890; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/GMUnpacker.Downloader Download Instructions Response From CnC"; flow:established,to_client; file_data; content:"<AD>"; within:4; content:"<TIPAD>"; distance:0; content:"<POPUP>"; distance:0; content:"<REG>HKEY_LOCAL_MACHINE\|5c\|SOFTWARE\|5c\|Microsoft\|5c\|Windows\|5c\|CurrentVersion\|5c\|"; distance:0; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:trojan-activity; sid:2017891; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GMUnpackerInstaller.A Checkin"; flow:to_server,established; content:"/new/rar.xml"; fast_pattern:only; nocase; http_uri; content:!"User-Agent\|3a\| "; nocase; http_header; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:trojan-activity; sid:2017892; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef Landing URI Struct"; flow:established,to_server; content:"/?"; http_uri; content:"LvoDc0RHa8NnZ"; http_uri; pcre:"/\/\?={0,2}[A-Za-z0-9\+\/]+?LvoDc0RHa8NnZ$/U"; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:trojan-activity; sid:2017893; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DotkaChef Payload Dec 20 2013"; flow:established,to_server; content:"/?f=bb.mp3"; http_uri; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2013/analyzing-dotkachef-exploit-pack/; classtype:trojan-activity; sid:2017894; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Kuluoz/Asprox Activity Dec 23 2013"; flow:established,to_server; content:!"Referer\|3a\|"; http_header; pcre:"/^\/[A-Za-z0-9]{8,}+$/U"; content:"User-Agent\|3a 20\|Mozilla/5.0 (Windows NT 6.1\|3b\| WOW64\|3b\| rv\|3a\|25.0) Gecko/20100101 Firefox/25.0"; http_header; fast_pattern:64,20; content:!"Host\|3a\|"; http_header; depth:5; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})\r$/Hmi"; reference:md5,a3e0f51356d48124fba25485d1871b28; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2017895; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; content:"Jm9zX2ZsYXZvcj"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; content:"Zvc19mbGF2b3I9"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; content:"mb3NfZmxhdm9yP"; http_client_body; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible PDF Dictionary Entry with Hex/Ascii replacement"; flow:established,from_server; file_data; content:"%PDF-"; fast_pattern; within:5; content:"obj"; pcre:"/^[\r\n\s]?<<(?:(?!>>).)+?\/[a-zA-Z\d]?#(?:[46][1-9a-fA-F]\|[57][\daA])(?:[a-zA-Z\d])?#(?:[46][1-9a-fA-F]\|[57][\daA])/Rsi"; classtype:trojan-activity; sid:2017899; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>\|0a\|endobj\|0a\|5 0 obj \|0a\|<</"; pcre:"/^(?:L\|#4c)(?:e\|#65)(?:n\|#6e)(?:g\|#67)(?:t\|#74)(?:h\|#68)\x20\d+?\/(?:F\|#46)(?:i\|#69)(?:l\|#6c)(?:t\|#74)(?:e\|#65)(?:r\|#72)\[\/(?:F\|#46)(?:l\|#6c)(?:a\|#61)(?:t\|#74)(?:e\|#65)(?:D\|#44)(?:e\|#65)(?:c\|#63)(?:o\|#6f)(?:d\|#64)(?:e\|#65)\/(?:A\|#41)(?:S\|#53)(?:C\|#43)(?:I\|#49){2}(?:H\|#48)(?:e\|#65)(?:x\|#78)(?:D\|#44)(?:e\|#65)(?:c\|#63)(?:o\|#6f)(?:d\|#64)(?:e\|#65)\]>>/Rs"; content:"5 0 R>>\|0a\|endobj\|0a\|5 0 obj \|0a\|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]\|[57][\daA])/Rs"; classtype:trojan-activity; sid:2017900; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Angler EK Flash Exploit Dec 24 2013"; flow:established,to_server; urilen:15; content:"/4"; depth:2; http_uri; pcre:"/^GET \/4(?P<baseuri>[a-z0-9]{10})[a-z0-9]{3} HTTP\/1\.[01]\r\n.?Referer\x3a http\x3a\/\/[^\/]+?\/(?P=baseuri)\r\n/s"; classtype:trojan-activity; sid:2017901; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Angler EK Possible Flash/IE Payload Dec 24 2013"; flow:established,to_server; urilen:15; content:"/3"; depth:2; http_uri; pcre:"/^\/3[a-z0-9]{13}$/U"; content:!"Referer\|3a\|"; http_header; content:!"User-Agent\|3a\|"; http_header; content:"\|0d 0a 0d 0a\|"; classtype:trojan-activity; sid:2017902; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Urausy.C Checkin 4"; flow:to_server,established; urilen:>80; content:"GET"; http_method; pcre:"/^\/([^\x2f]+?\/)?[a-z-_]+?\.(php\|html)$/Ui"; content:"User-Agent\|3a\| Mozilla/5.0 (compatible\|3b\| MSIE 9.0\|3b\| Windows NT 6.1\|3b\| Trident/5.0)\|0d 0a\|"; fast_pattern:57,20; depth:77; http_header; content:!"Referer\|3a\| "; http_header; content:!"Accept\|3a\| "; http_header; reference:md5,0032856449dbef5e63b8ed2f7a61fff9; classtype:trojan-activity; sid:2017903; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Angler EK Flash Exploit Dec 26 2013"; flow:established,to_server; content:"/4"; depth:2; http_uri; content:"?&xkey="; http_uri; content:"&exec=aHR0cDov"; http_uri; pcre:"/\/4[a-z0-9]{13}\?&xkey=/U"; classtype:trojan-activity; sid:2017904; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO/GrandSoft PDF"; flow:established,from_server; file_data; content:"/TM(gawgewafgwe[0].#subform[0]"; classtype:trojan-activity; sid:2017905; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Unknown_.aso - URI - IP.aso"; flow:established,to_server; content:".aso"; http_uri; fast_pattern:only; pcre:"/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.aso$/U"; classtype:bad-unknown; sid:2017906; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing with CVE-2013-2551 Dec 29 2013"; flow:established,from_server; file_data; content:"javafx_version"; fast_pattern:only; content:"fromCharCode"; pcre:"/^[\r\n\s]?$[\r\n\s]?[a-zA-Z_$][^\r\n\s]?\.charCodeAt[\r\n\s]?\([\r\n\s]?[a-zA-Z_$][^\r\n\s][\r\n\s]?$[\r\n\s]?\^[\r\n\s]?[a-zA-Z_$][^\r\n\s]\.charCodeAt[\r\n\s]?\(/Rsi"; content:"decodeURIComponent"; content:"applet"; classtype:trojan-activity; sid:2017907; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK encrypted binary (1)"; flow:established,to_client; file_data; content:"\|20 69 c3 34 55 6d 33 53\|"; depth:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017908; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO suspicious - uncompressed pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"\|ca fe d0 0d\|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017909; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO suspicious - gzipped file via JAVA - could be pack200-ed JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"\|1f 8b 08 00\|"; depth:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017910; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; content:"/?step_id="; http_uri; content:"&publisher_id="; http_uri; content:"&page_id="; http_uri; content:"&country_code="; http_uri; content:"&browser_id="; http_uri; content:"&download_id="; http_uri; content:"&hardware_id="; http_uri; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017911; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?report_version="; http_uri; content:"data="; http_client_body; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017912; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 7"; flow:to_server,established; dsize:>11; content:"\|79 95\|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x95/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017913; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 8"; flow:to_server,established; dsize:>11; content:"\|79 99\|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x79\x99/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,be92836bee1e8abc1d19d1c552e6c115; classtype:trojan-activity; sid:2017914; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 9"; flow:to_server,established; dsize:>11; content:"\|7a 9b\|"; offset:8; byte_jump:4,-10,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7a\x9b/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:trojan-activity; sid:2017915; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 10"; flow:to_server,established; dsize:>11; byte_jump:4,0,from_beginning,little,post_offset -1; isdataat:!1,relative; content:"\|78 9c\|"; fast_pattern:only; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a88e0e5a2c8fd31161b5e4a31e1307a0; classtype:trojan-activity; sid:2017916; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Ferret DDOS Bot CnC Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent\|3a 20\|Mozilla\|20\|"; fast_pattern; http_header; content:"m"; depth:1; http_client_body; pcre:"/^m(?:ode)?=(?:[A-Za-z0-9+/]{4})(?:[A-Za-z0-9+/]{2}==\|[A-Za-z0-9+/]{3}=\|[A-Za-z0-9+/]{4})&h(?:wid)?=/P"; reference:md5,f582667d5ce743436fb24771eb22a0e8; reference:url,www.arbornetworks.com/asert/2013/12/a-business-of-ferrets/; classtype:trojan-activity; sid:2017917; rev:4;) + +# +alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x02"; content:"\|00 02 2A\|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017918; rev:2;) + +# +alert udp any any -> any 123 (msg:"ET DOS Possible NTP DDoS Inbound Frequent Un-Authed MON_LIST Requests IMPL 0x03"; content:"\|00 03 2A\|"; offset:1; depth:3; byte_test:1,!&,128,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_dst,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017919; rev:2;) + +# +alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x02"; content:"\|00 02 2a\|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017920; rev:2;) + +# +alert udp $HOME_NET 123 -> $EXTERNAL_NET any (msg:"ET DOS Possible NTP DDoS Multiple MON_LIST Seq 0 Response Spanning Multiple Packets IMPL 0x03"; content:"\|00 03 2a\|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 2,seconds 60; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; classtype:attempted-dos; sid:2017921; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 2012:2014 (msg:"ET TROJAN Win32.Morix.B checkin"; flow:to_server,established; content:"\|00 00 42 42 43 42 43\|"; offset:2; depth:7; reference:md5,25623fa3a64f6bed301822f8fe6aa9b5; classtype:trojan-activity; sid:2017922; rev:3;) + +# +alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2;) + +# +alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2;) + +# +alert udp any any -> any 53 (msg:"ET POLICY DNS lookup for bridges.torproject.org IP lookup/Tor Usage check"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|bridges\|0a\|torproject\|03\|org\|00\|"; nocase; reference:url,www.torproject.org/docs/bridges.html.en; reference:md5,2e3f7f9b3b4c29aceccab693aeccfa5a; classtype:policy-violation; sid:2017925; rev:3;) + +# +alert udp any any -> any 53 (msg:"ET POLICY DNS lookup for check.torproject.org IP lookup/Tor Usage check"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|check\|0a\|torproject\|03\|org\|00\|"; nocase; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:policy-violation; sid:2017926; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over HTTP"; flow:established,to_server; content:"check.torproject.org"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a\s?check\.torproject\.org(?:\x3a\d{1,5})?\r?$/Hmi"; reference:md5,e87f0db605517e851d571af2e78c5966; classtype:policy-violation; sid:2017927; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY check.torproject.org IP lookup/Tor Usage check over TLS with SNI"; flow:established,to_server; content:"\|00 14\|check.torproject.org"; nocase; classtype:policy-violation; sid:2017928; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET POLICY bridges.torproject.org over TLS with SNI"; flow:established,to_server; content:"\|00 16\|bridges.torproject.org"; nocase; reference:url,www.torproject.org/docs/bridges.html.en; classtype:policy-violation; sid:2017929; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Generic - POST To gate.php with no referer"; flow:established,to_server; content:"POST"; http_method; content:"/gate.php"; http_uri; content:!"Referer\|3a\|"; http_header; classtype:trojan-activity; sid:2017930; rev:8;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Redirection - Injection - Modified Edwards Packer Script"; flow:established,to_client; file_data; content:"function(s,a,c,k,e,d"; classtype:trojan-activity; sid:2017931; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TraceMyIP IP lookup"; flow:established,to_server; content:"tracemyip.org"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a\s?([^\r\n]+?\.)?tracemyip.org(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:policy-violation; sid:2017933; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 11"; flow:to_server,established; dsize:>11; content:"\|7b 9e\|"; offset:8; byte_jump:4,0,little,from_beginning; isdataat:!6,relative; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017934; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12 SET"; flow:to_server,established; dsize:8; content:"\|00 00\|"; offset:2; depth:2; content:"\|00 00\|"; distance:2; within:2; flowbits:set,ET.gh0stFmly; flowbits:noalert; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017935; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 12"; flow:to_server,established; flowbits:isset,ET.gh0stFmly; content:"\|78 9c\|"; depth:2; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,a2469f4913f1607e4207ba0a8768491c; classtype:trojan-activity; sid:2017936; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for whoismama.ru"; flow:established,to_client; content:"www.whoismama.ru"; fast_pattern:only; nocase; reference:md5,cca1713888b0534954234cf31dd5a7d4; classtype:trojan-activity; sid:2017940; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for dewart.ru"; flow:established,to_client; content:"www.deweart.ru"; fast_pattern:only; nocase; reference:md5,6e0a6c4a06a446f70ae1463129711122; classtype:trojan-activity; sid:2017941; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for anlogtewron.ru"; flow:established,to_client; content:"www.anlogtewron.ru"; fast_pattern:only; nocase; reference:md5,c13c3e331f05d61a7204fb4599b07709; classtype:trojan-activity; sid:2017942; rev:1;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Zbot Variant SSL cert for erjentronem.ru"; flow:established,to_client; content:"www.erjentronem.ru"; fast_pattern:only; nocase; reference:md5,05ddaa5b6b56123e792fd67bb03376bc; classtype:trojan-activity; sid:2017943; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Short Google Search Appliance UA Win32/Ranbyus and Others"; flow:established,to_server; content:"User-Agent\|3a 20\|gsa-crawler\|0d 0a\|"; nocase; http_header; fast_pattern:5,20; reference:url,developers.google.com/search-appliance/documentation/50/help_mini/crawl_headers; reference:md5,98b58bd8a5138a31105e118e755a3773; reference:md5,c07a6035e9c7fed2467afab1a9dbcf40; classtype:trojan-activity; sid:2017937; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 13"; flow:to_server,established; byte_jump:4,0,little,from_beginning,post_offset -1; isdataat:!7,relative; content:"\|7c 9e\|"; offset:13; depth:8; pcre:"/^.{8}[\x20-\x7e]+?.{5}\x7c\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,6a6ef7b4c7e8300a73b206e32e14ce3c; classtype:trojan-activity; sid:2017938; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 14"; flow:to_server,established; dsize:>11; byte_extract:4,0,c_size,little; byte_test:4,>,c_size,4,little; content:"\|08 01\|"; offset:2; depth:2; content:"\|79 94\|"; offset:13; depth:2; pcre:"/^.{8}[\x20-\x7e]+?\x79\x94/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,9fae15fa8ab6bb8d78d609bdceafe28e; classtype:trojan-activity; sid:2017944; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Adware.PUQD Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/debug/Version/"; fast_pattern:only; http_uri; content:"/trace/"; http_uri; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d?\/trace\/(?:mostrarFailed(?:EndLoading\|ReadyState)\|Get(?:XmlDataRequisites\|BinaryData)\|(?:DownloadRequisites\|down_)Finish\|Re(?:cievedXml\|adyState)\|PreDownloadRequisites\|EndLoading\|UserAdmin\|Start)$/U"; content:!"User-Agent\|3a\|"; http_header; content:!"Referer\|3a\|"; http_header; content:!"Accept\|3a\|"; http_header; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:trojan-activity; sid:2017945; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent.BAAB Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/debug/trace/"; fast_pattern:only; http_uri; content:"User-Agent\|3a 20\|NSISDL/1.2\|20\|(Mozilla)\|0d 0a\|"; http_header; content:!"Referer\|3a\|"; http_header; content:"Accept\|3a\|"; http_header; pcre:"/^\/debug\/trace\/(?:Fw(?:Downloaded\|Check)\|N(?:oFw\|sis))$/U"; reference:md5,406fea6262d8ee05e0ab4247c1083443; reference:url,www.virustotal.com/en/file/b0baed750f09ff058e5bd28d6443da833496dc1d1ed674ee6b2caf91889f648e/analysis/1389133969/; classtype:trojan-activity; sid:2017946; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Styx Kein Landing URI Struct"; flow:to_server,established; content:"/?"; depth:2; http_uri; fast_pattern; pcre:"/^\/\?[^=&\?]{4,}=[^&]{20,}$/U"; content:"Host\|3a 20\|www"; http_header; content:!"."; within:1; http_header; pcre:"/^Host\x3a\x20www\d+?\.[^\.]+?\.[^\.]+?\.([^\.]+\.)?[a-z]{2,4}(?:\x3a\d{1,5})?\r$/Hmi"; classtype:trojan-activity; sid:2017947; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LDPinch Checkin Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"a="; http_client_body; depth:2; content:"&b="; distance:0; http_client_body; content:"&d="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; classtype:trojan-activity; sid:2017948; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS FOCA User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\|3a 20\|FOCA\|0d 0a\|"; http_header; fast_pattern:only; content:!"Referer\|3a 20\|"; http_header; content:!"Accept\|3a 20\|"; http_header; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017949; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN FOCA uri"; flow:established,to_server; content:"GET"; http_method; content:"/F0C4~1/foca.aspx?aspxerrorpath=/"; http_uri; fast_pattern:only; content:!"Referer\|3a 20\|"; http_header; content:!"Accept\|3a 20\|"; http_header; content:!"Connection\|3a 20\|"; http_header; reference:url,blog.bannasties.com/2013/08/vulnerability-scans/; classtype:attempted-recon; sid:2017950; rev:2;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - Title"; flow:established,to_client; file_data; content:"<title>PHP Shell offender</title>"; nocase; classtype:web-application-attack; sid:2017951; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER ATTACKER WebShell - PHP Offender - POST Command"; flow:established,to_server; content:"work_dir="; http_client_body; content:"command="; http_client_body; content:"submit_btn=Execute+Command"; http_client_body; classtype:web-application-attack; sid:2017952; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"window.GetKey"; nocase; fast_pattern; content:"window.GetUrl"; nocase; content:"aHR0cDov"; distance:0; content:"#default#VML"; classtype:trojan-activity; sid:2017953; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 1"; flow:established,to_client; file_data; content:"ODAvM"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?ODAvM[a-zA-Z0-9\/\+]{18}(?:=\|%3D)[\x22\x27]/R"; classtype:trojan-activity; sid:2017954; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 2"; flow:established,to_client; file_data; content:"4MC8x"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?4MC8x[a-zA-Z0-9\/\+]{18}(?:=\|%3D){2}[\x22\x27]/R"; classtype:trojan-activity; sid:2017955; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK Landing Jan 10 2014 3"; flow:established,to_client; file_data; content:"OjgwL"; fast_pattern:only; content:".GetUrl"; nocase; content:"aHR0cDo"; pcre:"/^[a-zA-Z0-9\/\+]+?OjgwL[a-zA-Z0-9\/\+]{19}[\x22\x27]/R"; classtype:trojan-activity; sid:2017956; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 10 2014"; flow:established,to_client; file_data; content:"javafx_version"; fast_pattern:only; nocase; content:"46"; pcre:"/^(?P<sep>[^\x22\x27]{1,10})100(?P=sep)97(?P=sep)115(?P=sep)104(?P=sep)115(?P=sep)116(?P=sep)121(?P=sep)108(?P=sep)101(?P=sep)46(?P=sep)97(?P=sep)114(?P=sep)114(?P=sep)97(?P=sep)121(?P=sep)/R"; classtype:trojan-activity; sid:2017957; rev:1;) + +# +alert tcp $EXTERNAL_NET 8000 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino EK SilverLight Exploit Jan 11 2014"; flow:established,from_server; file_data; content:"AppManifest.xaml"; content:"dig.dll"; nocase; fast_pattern:only; pcre:"/\bdig\.dll\b/"; classtype:trojan-activity; sid:2017958; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Mevade.Variant CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"uuid\|3A 20\|"; http_header; content:!"User-Agent\|3A\|"; http_header; content:"\|C8 71 04 ED 87 F6 DD 77 87\|"; http_client_body; depth:9; pcre:"/^\x2F(?:policy\|cache)$/U"; reference:url,labs.umbrella.com/2013/10/24/mysterious-dga-lets-investigate-sgraph/; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:trojan-activity; sid:2017959; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Bitcoin Mining Server Stratum Protocol HTTP Header"; flow:established,to_client; content:"X-Stratum\|3A\|"; http_header; reference:url,www.anubisnetworks.com/unknowndga17-the-mevade-connection/; classtype:policy-violation; sid:2017960; rev:1;) + +# +##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED PE EXE or DLL Windows file download disguised as ASCII - SET"; flow:established; content:"\|34 44 35 41\|"; byte_jump:8,116,relative,multiplier 2,little,string; isdataat:1,relative; flowbits:set,ET.http.binary.ASCII; flowbits:noalert; classtype:trojan-activity; sid:2017961; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN PE EXE or DLL Windows file download disguised as ASCII"; flow:established,from_server; file_data; content:"\|34 44 35 41\|"; depth:4; content:"\|35 30 34 35 30 30\|"; distance:0; classtype:trojan-activity; sid:2017962; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Neutrino/Fiesta SilverLight Exploit Jan 13 2014 DLL Naming Convention"; flow:established,from_server; file_data; content:"PK\|01 02\|"; content:"\|10 00\|"; distance:24; within:2; content:"AppManifest.xaml"; distance:16; within:16; content:"PK\|01 02\|"; within:36; content:"\|07 00\|"; distance:24; within:2; pcre:"/^.{16}[a-z]{3}\.dll/Rs"; content:"PK\|05 06\|"; within:36; content:"\|02 00 02 00\|"; distance:4; within:4; classtype:trojan-activity; sid:2017963; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kishop.A checkin"; flow:to_server; content:"POST"; http_method; content:".php?mark="; http_uri; content:"&type="; http_uri; content:"&theos="; http_uri; reference:md5,bad7cd3c534c95867f5dbe5c5169a4da; classtype:trojan-activity; sid:2017964; rev:1;) + +# +alert udp any 123 -> any 0:1023 (msg:"ET DOS Likely NTP DDoS In Progress MON_LIST Response to Non-Ephemeral Port IMPL 0x02"; content:"\|00 02 2a\|"; offset:1; depth:3; byte_test:1,&,128,0; byte_test:1,&,64,0; byte_test:1,&,4,0; byte_test:1,&,2,0; byte_test:1,&,1,0; threshold: type both,track by_src,count 1,seconds 120; reference:url,www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks; reference:url,en.wikipedia.org/wiki/Ephemeral_port; classtype:attempted-dos; sid:2017965; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN StartPage jsp checkin"; flow:to_server,established; urilen:27<>40; content:"POST"; http_method; content:"/201"; http_uri; fast_pattern:only; content:".jsp"; http_uri; content:"User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b 20\|MSIE 7.0\|3b 20\|Windows NT 5.2\|3b 20\|.NET CLR 1.1.4322\|3b 20\|.NET CLR 2.0.50727\|3b 20\|InfoPath.1)\|0d 0a\|"; http_header; content:!"Accept-Language\|3A 20\|"; http_header; content:!"Referer\|3A 20\|"; http_header; pcre:"/^\/201\d{5,8}\/\d{6,11}\/\d{5,10}\.jsp$/U"; threshold:type both,track by_src,count 2,seconds 60; reference:md5,bb7bbb0646e705ab036d73d920983256; classtype:trojan-activity; sid:2017967; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.Win32/Daceluw.A Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:12; content:"/wow/wow.asp"; depth:12; http_uri; content:!"User-Agent\|3a\|"; http_header; content:!"Referer\|3a\|"; http_header; content:"&WOWID="; depth:7; http_client_body; content:"&Area="; distance:0; http_client_body; content:"&WU="; distance:0; http_client_body; content:"&WP="; distance:0; http_client_body; content:"&MAX="; distance:0; http_client_body; content:"&Gold="; distance:0; http_client_body; content:"&Serv="; distance:0; http_client_body; content:"&rn="; distance:0; http_client_body; content:"&key="; distance:0; http_client_body; reference:url,xylibox.com/2014/01/trojwowspy-a.html; classtype:trojan-activity; sid:2017970; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Possible Process Dump in POST body"; flow:established,to_server; content:"POST"; http_method; content:"System Idle Process"; fast_pattern:only; http_client_body; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; classtype:trojan-activity; sid:2017968; rev:3;) + +# +alert tcp any any -> any $HTTP_PORTS (msg:"ET CURRENT_EVENTS Netgear N150 passwordrecovered.cgi attempt"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/passwordrecovered.cgi?id="; nocase; http_uri; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; classtype:attempted-admin; sid:2017969; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET CURRENT_EVENTS Possible Neutrino IE/Silverlight Payload Download"; flow:established,to_server; content:"WinHttp.WinHttpRequest."; http_header; pcre:"/^\/[a-z]+?\?[a-z]+?=[a-z]+$/U"; classtype:trojan-activity; sid:2017971; rev:8;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ICEFOG JAVAFOG JAR checkin"; flow:to_server; content:"POST"; http_method; content:"?title=2.0_-"; http_uri; fast_pattern:only; content:"User-Agent\|3a 20\|Java"; http_header; content:"content=HostName\|3a 20\|"; depth:18; http_client_body; content:"\|0d 0a\|Java Version\|3a 20\|"; distance:0; http_client_body; content:"\|0d 0a 20\|HostIp\|3a 20\|"; distance:0; http_client_body; content:!"Accept-Language\|3A 20\|"; http_header; content:!"Referer\|3A 20\|"; http_header; reference:url,www.securelist.com/en/blog/208214213/The_Icefog_APT_Hits_US_Targets_With_Java_Backdoor; reference:url,jsunpack.jeek.org/dec/go?report=6b63068d3259f5032a301e0d3f935b4d3f2e2998; classtype:trojan-activity; sid:2017972; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nuclear EK CVE-2013-3918"; flow:established,from_server; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; content:"Array"; nocase; distance:0; content:"\|22\|"; nocase; within:500; content:!"\|22\|"; within:500; pcre:"/^[a-z0-9]{1,500}?(?P<s>[a-z0-9]{2})(?P<t>(?!(?P=s))[a-z0-9]{2})(?P<r>(?!(?:(?P=s)\|(?P=t)))[a-z0-9]{2})(?P=t)(?P<o>(?!(?:(?P=s)\|(?P=t)\|(?P=r)))[a-z0-9]{2})(?P<b>(?!(?:(?P=s)\|(?P=t)\|(?P=r)\|(?P=o)))[a-z0-9]{2})(?P<y>(?!(?:(?P=s)\|(?P=t)\|(?P=r)\|(?P=o)\|(?P=b)))[a-z0-9]{2})(?P=t)(?:(?!(?:(?P=s)\|(?P=t)\|(?P=r)))[a-z0-9]{4})(?P=s)(?P=t)(?P=r)/Rs"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017973; rev:8;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 15"; flow:to_server,established; dsize:>11; content:"FWKJGH"; offset:8; depth:6; byte_jump:4,0,little,from_beginning,post_offset 5; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,edd8c8009fc1ce2991eef6069ae6bf82; classtype:trojan-activity; sid:2017974; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible AnglerEK Landing URI Struct"; flow:established,to_server; content:"?thread="; http_uri; nocase; fast_pattern:only; content:"key="; http_uri; nocase; pcre:"/^\/[a-z0-9]+?\?thread=\d+?&x?key=[A-F0-9]{32}$/U"; classtype:trojan-activity; sid:2017975; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible AnglerEK Java Exploit/Payload Structure Jan 16 2014"; flow:established,to_server; urilen:49; content:" Java/1."; http_header; pcre:"/^\/[a-z0-9_\-]{48}$/Ui"; classtype:trojan-activity; sid:2017976; rev:8;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"\|55 04 03\|"; content:"\|10\|cardiffpower.com"; distance:1; within:17; content:"\|55 04 03\|"; distance:0; content:"\|10\|cardiffpower.com"; distance:1; within:17; classtype:trojan-activity; sid:2017977; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate marchsf"; flow:established,from_server; content:"\|02 07 04 81 e4 de 05 6a 5a\|"; content:"\|0b\|marchsf.com"; distance:0; fast_pattern; classtype:trojan-activity; sid:2017978; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate california89"; flow:established,from_server; content:"\|02 07 2b 00 ee 19 5e ab 1f\|"; content:"\|10\|california89.com"; distance:0; classtype:trojan-activity; sid:2017979; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Updatre Compromised SSL Certificate thebostonshaker"; flow:established,from_server; content:"\|02 07 27 7d 65 4a cd bf 4e\|"; content:"\|17\|www.thebostonshaker.com"; distance:0; classtype:trojan-activity; sid:2017981; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO InformationCardSigninHelper ClassID (Vulnerable ActiveX Control in CVE-2013-3918)"; flow:established,to_client; file_data; content:"19916E01-B44E-4E31-94A4-4696DF46157B"; nocase; classtype:misc-activity; sid:2017980; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent\|3a 20\|"; pcre:"/^([\x7f-\xff]){100}/Ri"; reference:md5,176638536e926019e3e79370777d5e03; classtype:trojan-activity; sid:2017982; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Java/Jacksbot Check-in"; flow:established,to_server; content:"\|00 2d 00 68 00 20 00 32 00 66 00\|"; pcre:"/^(?:4\x00[1-9a-f]\|5\x00[\da])/Rs"; content:"\|00 33 00 61 00\|"; within:5; reference:md5,6d93fc6132ae6938013cdd95354bff4e; classtype:trojan-activity; sid:2017983; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (1) Jan 17 2013"; flow:established,to_client; file_data; content:"\|2c 36 f4 6f 6d 6a 66 67\|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017984; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (2) Jan 17 2013"; flow:established,to_client; file_data; content:"\|2c 3e f2 32 30 34 6e 68\|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017985; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (3) Jan 17 2013"; flow:established,to_client; file_data; content:"\|7d 6b f8 64 76 74 6e 66\|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017986; rev:1;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Upatre SSL Compromised site appsredeeem"; flow:established,to_client; content:"\|12\|www.appsredeem.com"; nocase; classtype:trojan-activity; sid:2017987; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 16"; flow:to_server,established; dsize:>11; content:"\|7d 9b\|"; offset:8; depth:2; byte_jump:4,0,little,from_beginning, post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,ece8808981043f830bacc4133d68e394; classtype:trojan-activity; sid:2017988; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Angler EK encrypted binary (4)"; flow:established,to_client; file_data; content:"\|21 3b e3 70 65 6e 66 64\|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017989; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; content:"/dmresources/instructions.dat"; fast_pattern:0,20; depth:29; http_uri; content:"\|20\|HTTP/1.0\|0d 0a\|"; content:!"Referer\|3a\|"; http_header; content:"User-Agent\|3a 20\|NSISDL/1.2 (Mozilla)\|0d 0a\|"; http_header; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; reference:url,www.virustotal.com/en/file/95e0eaaee080f2c167464ed6da7e4b7a27937ac64fd3e1792a1aa84c1aed488e analysis/; classtype:trojan-activity; sid:2017992; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN GoonEK Jan 21 2013"; flow:established,from_server; file_data; content:"#default#VML"; fast_pattern:only; content:"\|5c 5c 3a\|"; content:"\|5c 5c 3a\|"; distance:0; content:".namespaces.add"; nocase; pcre:"/^[\r\n\s]?$[^$]?[\x22\x27]#/Ri"; content:!"default#VML"; within:12; pcre:"/^d(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?e(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?f(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?a(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?u(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?l(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?t(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?#(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?V(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?M(?:[\x22\x27][\r\n\s]?\+[\r\n\s]?[\x22\x27])?L[\x22\x27]/Rs"; classtype:trojan-activity; sid:2017993; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS VBSAutorun_VBS_Jenxcus Check-in UA"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"User-Agent\|3A 20\|"; content:"\|3C 7C 3E\|"; fast_pattern; distance:0; content:"\|3C 7C 3E\|"; distance:0; pcre:"/^User-Agent\x3a\x20[^\r\n]+?\x3c\x7c\x3e[^\r\n]+?\x3c\x7c\x3e[^\r\n]+?\x3c\x7c\x3e/m"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24761/en_US/McAfee%20Labs%20Threat%20Advisory-VBSAutorun%20Worm.pdf; reference:url, www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?ThreatId=-2147283579&mstLocPickShow=False#tab=2; classtype:trojan-activity; sid:2017994; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 1"; flow:established,from_server; file_data; content:"Y21kLmV4ZSA"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj\|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM\|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017995; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 2"; flow:established,from_server; file_data; content:"NtZC5leGUg"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj\|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM\|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017996; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS GoonEK Landing Jan 21 2013 SilverLight 3"; flow:established,from_server; file_data; content:"jbWQuZXhlI"; pcre:"/^[a-zA-Z0-9\+\/]+?(?:V2luSHR0cC5XaW5IdHRwUmVxdWVzdC41Lj\|XaW5IdHRwLldpbkh0dHBSZXF1ZXN0LjUuM\|dpbkh0dHAuV2luSHR0cFJlcXVlc3QuNS4x)/R"; classtype:trojan-activity; sid:2017997; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible IE/SilverLight GoonEK Payload Download"; flow:to_server,established; content:".mp3"; fast_pattern:only; http_uri; content:"WinHttp.WinHttpRequest.5"; http_header; pcre:"/\/\d{3,}\.mp3$/U"; classtype:trojan-activity; sid:2017998; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy getLastVersion CnC Beacon"; flow:established,to_server; content:"POST /getLastVersion "; depth:21; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a\|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2017999; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy RegisterRequest CnC Beacon"; flow:established,to_server; content:"POST /register "; depth:15; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a\|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018000; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy LoginRequest CnC Beacon"; flow:established,to_server; content:"POST /login "; depth:12; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a\|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018001; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportRequest CnC Beacon"; flow:established,to_server; content:"POST /report "; depth:13; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a\|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018002; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy GetTaskRequest CnC Beacon"; flow:established,to_server; content:"POST /getTask "; depth:14; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018003; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 9008 (msg:"ET MOBILE_MALWARE Android/HeHe.Spy ReportMessageRequest CnC Beacon"; flow:established,to_server; content:"POST /reportMessage "; depth:20; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(\x3a\|\r)/m"; reference:url,www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html; classtype:trojan-activity; sid:2018004; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Possible Upatre Downloader SSL certificate (fake org)"; flow:established,from_server; content:"\|06 03 55 04 0a\|"; pcre:"/^.{2}(?P<fake_org>([asdfgh]+\|[qwerty]+\|[zxcvbn]+)[01]).+?\x06\x03\x55\x04\x0a.{2}(?P=fake_org)/Rs"; classtype:trojan-activity; sid:2018005; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Browlock Hostname Format US"; flow:established,to_server; content:"Host\|3a 20\|fbi.gov."; http_header; fast_pattern:only; classtype:trojan-activity; sid:2018006; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 17"; flow:to_server,established; dsize:>11; content:"AngeL"; depth:5; byte_jump:4,0,relative,little,from_beginning,post_offset -1; isdataat:!1,relative; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; classtype:trojan-activity; sid:2018007; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN DNS Query Possible Zbot Infection Query for networksecurityx.hopto.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|networksecurityx\|05\|hopto\|03\|org\|00\|"; fast_pattern; nocase; distance:0; reference:md5,37782108e8b7f331a6fdeabef9c8a774; reference:md5,10fa9c6c27e6eb512d12dee8181e182f; classtype:trojan-activity; sid:2018008; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SUSPICIOUS HTTP Request to .bit domain"; flow:to_server,established; content:".bit"; fast_pattern; nocase; http_header; pcre:"/^Host\x3a[^\r\n]+\.bit(?:\x3a\d{1,5})?\r$/Hmi"; reference:url,normanshark.com/blog/necurs-cc-domains-non-censorable/; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:bad-unknown; sid:2018009; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious UA (^IE[\d\s])"; flow:established,to_server; content:"User-Agent\|3a 20\|IE"; http_header; nocase; fast_pattern:only; content:!"symantec"; nocase; http_header; content:!"norton"; nocase; http_header; pcre:"/^User-Agent\x3a\x20IE[\d\s]/Hmi"; reference:md5,209e6701da137084c2f60c90d64505f2; classtype:trojan-activity; sid:2018010; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Jan 24 2013"; flow:established,to_client; file_data; content:"0x3dcde1&&"; nocase; content:"0x4e207d"; nocase; within:50; classtype:attempted-user; sid:2018011; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P Vagaa peer-to-peer (Transfer)"; flow:from_client,established; content:"\|0d 0a\|VAGAA-OPERATION\|3a\| Transfer\|0d 0a\|"; reference:url,en.wikipedia.org/wiki/Vagaa; classtype:policy-violation; sid:2018012; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 18"; flow:to_server,established; dsize:>11; content:"\|7b 9e\|"; offset:8; byte_jump:4,-10,little,relative,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^[\x20-\x7e]+?.{8}\x7b\x9e/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/PcClient.ZR&ThreatID=-2147325231; reference:md5,1f46b1e0a7fe83d24352e98b3ab3fc3f; classtype:trojan-activity; sid:2018013; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 8080: (msg:"ET POLICY PrimeCoinMiner.Protominer"; flow:established,to_server; content:"\|01 27 00 00 05 00 00 00 09\|"; depth:9; content:"node"; nocase; distance:0; within:4; content:"Protominer"; distance:14; within:10; reference:md5,4cab48eec2b882ec33db2e2a13ecffe6; classtype:policy-violation; sid:2018014; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Limitless Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject\|3a 20\|Limitless Logger\|20 3a 20 3a\|"; nocase; fast_pattern:9,20; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018015; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Limitless Logger Sending Data over SMTP 2"; flow:to_server,established; content:"Limitless Logger successfully ran on this computer."; nocase; reference:md5,243dda18666ae2a64685e51d82c5ad69; classtype:trojan-activity; sid:2018016; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Predator Logger Sending Data over SMTP"; flow:to_server,established; content:"Subject\|3a 20\|Predator Logger\|20\|"; fast_pattern:5,20; reference:md5,91f885e08d627097fb1116a3d4634b82; classtype:trojan-activity; sid:2018017; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Win32/Antilam.2_0 Sending Data over SMTP"; flow:to_server,established; content:"Subject\|3a 20\|CigiCigi Logger"; fast_pattern:4,20; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018018; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Win32.WinSpy.pob Sending Data over SMTP"; flow:to_server,established; content:"filename="; content:"PC_Active_Time.txt"; within:19; content:"\|0d 0a\|"; within:3; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018019; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Win32.WinSpy.pob Sending Data over SMTP 2"; flow:to_server,established; content:"Subject\|3a 20\|LOG\|20\|FILE\|20 20\|Current User\|3a\|"; reference:md5,d95845c510ec1f5ad38cb9ccab16c38b; classtype:trojan-activity; sid:2018020; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY myip.ru IP lookup"; flow:established,to_server; content:"myip.ru"; nocase; http_header; fast_pattern:only; pcre:"/^Host\x3a\s?(?:[^\r\n]+?\.)?myip\.ru(?:\x3a\d{1,5})?\r?$/Hmi"; classtype:policy-violation; sid:2018021; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Dimegup.A Downloading Image Common URI Struct"; flow:established,to_server; content:"/444.jpg"; http_uri; fast_pattern:only; content:"postimg.org"; http_header; pcre:"/^Host\x3a[^\r\n]+\.postimg\.org(?:\x3a\d{1,5})?\r?$/Hmi"; reference:md5,914c58df5d868f7c3438921d682f7fe5; classtype:trojan-activity; sid:2018022; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LockscreenBEI.Scareware Cnc Beacon"; flow:established,to_server; urilen:18; content:"GET"; http_method; content:"/reboot/index.html"; fast_pattern:only; http_uri; content:!"Referer\|3a 20\|"; http_header; reference:md5,04948b6045730d4ec626f79504c7f9ad; reference:md5,9fff65c23fe403d25c08a5cdd3dc775d; classtype:trojan-activity; sid:2018023; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; content:"/updater/"; http_uri; content:"User-Agent\|3A 20\|UpdaterResponse"; http_header; fast_pattern:12,15; content:!"Referer\|3a 20\|"; http_header; content:!"Accept\|3a 20\|"; http_header; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018024; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; content:"POST"; content:"User-Agent\|3A 20\|UpdaterResponse"; http_header; fast_pattern:12,15; pcre:"/^\x2F[A-F0-9]{25,40}$/U"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018025; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; content:"/Check.ashx?"; depth:12; http_uri; content:"&e="; http_uri; content:"&n="; http_uri; content:"&mv="; http_uri; content:!"Referer\|3a 20\|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018026; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Win32/Xtrat C2 Response"; flow:established,from_server; content:"S\|00\|T\|00\|A\|00\|R\|00\|T\|00\|S\|00\|E\|00\|R\|00\|V\|00\|E\|00\|R\|00\|B\|00\|U\|00\|F\|00\|F\|00\|E\|00\|R"; depth:33; reference:url,threatexpert.com/report.aspx?md5=f45b1b82c849fbbea3374ae7e9200092; classtype:trojan-activity; sid:2018027; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Madness Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&mk="; http_uri; fast_pattern:only; content:"&rs="; http_uri; content:"&rq="; http_uri; content:"&ver="; http_uri; pcre:"/\?uid=\d{8}&ver=\d\.\d{2}&mk=[0-9a-f]{6}&os=[A-Za-z0-9]+&rs=[a-z]+&c=\d+&rq=\d/U"; reference:url,www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/; reference:md5,3e4107ccf956e2fc7af171adf3c18f0a; classtype:trojan-activity; sid:2018028; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ehow/livestrong Malicious Flash 10/11"; flow:established,to_server; urilen:13; content:".swf"; http_uri; offset:9; depth:4; pcre:"/^\/[a-f0-9]{8}\.swf$/U"; pcre:"/^Referer\x3a[^\r\n]+\/[a-f0-9]{8}\/1(?:0\/[0-2]\|1\/\d)\/\r$/Hm"; classtype:trojan-activity; sid:2018029; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Limitless Logger RAT HTTP Activity"; flow:established,to_server; content:"/Limitless/Login/"; http_uri; pcre:"/^Host\x3a\s?(?:[^\r\n]+\.)?limitlessproducts\.org\r$/Hm"; classtype:trojan-activity; sid:2018030; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 19"; flow:to_server,established; dsize:>11; content:"\|78 9c\|"; offset:8; byte_jump:4,-6,little,relative,from_beginning,post_offset -1; isdataat:!1,relative; pcre:"/^.{4}[\x20-\x7e]+?.{4}\x78\x9c/s"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:md5,2b0f0479b14069b378fb454c92086897; classtype:trojan-activity; sid:2018032; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Win32.Genome.boescz Checkin"; flow:to_server,established; content:"\|0d 0a\|Subject\|3a 20\|TenInfect"; fast_pattern:9,9; content:"\|0d 0a 0d 0a\|TenInfect"; distance:0; reference:md5,313535d09865f3629423cd0e9b2903b2; reference:url,www.virustotal.com/en/file/75c454bbcfc06375ad1e8b45d4167d7830083202f06c6309146e9a4870cddfba/analysis/; classtype:trojan-activity; sid:2018033; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Banker.AALV checkin"; flow:to_server,established; content:"CHEGOU-NOIS"; fast_pattern; content:"\|20 7c 20\|PLUGIN\|3a\|"; distance:0; content:"\|20 7c 20\|BROWSER\|3a\|"; reference:md5,74bfd81b345a6ef36be5fcf6964af6e1; classtype:trojan-activity; sid:2018034; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Jan 29 2014"; flow:from_server,established; file_data; content:"<applet"; fast_pattern:only; content:".exe"; pcre:"/^[\x22\x27]/R"; content:"var"; pcre:"/^\s+?(?P<vname>[^\s=]+)\s?=\s?(?P<q>[\x22\x27])(?:(?!(?P=q)).)+?\.exe(?P=q).+?<applet(?:(?!<\/applet>).)+?value\s?=\s?(?:\x22\x27\|\x27\x22)\s?\+\s?(?P=vname)\s?\+\s?(?:\x22\x27\|\x27\x22)/Rsi"; classtype:trojan-activity; sid:2018035; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN SolarBot Plugin Download Server Response"; flow:from_server,established; file_data; content:"SOLAR\|00\|"; within:6; content:"MZP"; distance:0; classtype:trojan-activity; sid:2018036; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CookieBomb 2.0 In Server Response Jan 29 2014"; flow:from_server,established; file_data; content:"%66%75%6e%63%74%69%6f%6e%20%72%65%64%69%72%65%63%74"; nocase; content:"%66%75%6e%63%74%69%6f%6e%20%63%72%65%61%74%65%43%6f%6f%6b%69%65"; nocase; content:"%64%6f%52%65%64%69%72%65%63%74"; nocase; fast_pattern:only; reference:url,malwaremustdie.blogspot.jp/2014/01/and-another-detonating-method-of-todays.html; classtype:trojan-activity; sid:2018037; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SolarBot Plugin Download MessageBox"; flow:established,to_server; content:"/MessageBox.bin"; http_uri; content:!"Referer\|3a\|"; http_header; classtype:trojan-activity; sid:2018038; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SolarBot Plugin Download ComputerInfo"; flow:established,to_server; content:"/ComputerInfo.bin"; http_uri; content:!"Referer\|3a\|"; http_header; classtype:trojan-activity; sid:2018039; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SolarBot Plugin Download WalletSteal"; flow:established,to_server; content:"/WalletSteal.bin"; http_uri; content:!"Referer\|3a\|"; http_header; classtype:trojan-activity; sid:2018040; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Current Asprox Spam Campaign"; flow:established,to_server; urilen:>60; content:"/viewtopic.php?"; http_uri; fast_pattern:only; pcre:"/\/viewtopic\.php\?[^=]+=[a-zA-Z0-9\x2b\x2f]{43}=$/U"; classtype:trojan-activity; sid:2018041; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PHISH Apple - Landing Page"; flow:established,to_client; file_data; content:"<title>Apple - Update Your Information</title>"; classtype:trojan-activity; sid:2018042; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PHISH Visa - Landing Page"; flow:established,to_client; file_data; content:"Enter your password Verified by Visa / MasterCard SecureCode"; classtype:trojan-activity; sid:2018043; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Visa - Creds Phished"; flow:established,to_server; content:"/vbv.php"; http_uri; fast_pattern; content:"password="; http_client_body; classtype:trojan-activity; sid:2018044; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Visa - URI - Landing Page"; flow:established,to_server; content:"/Verified by Visa"; http_uri; nocase; classtype:trojan-activity; sid:2018045; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Jadtree Downloader rar"; flow:to_server; content:".rar"; http_uri; pcre:"/User-Agent\x3a\x20\d{4}\r\n/H"; reference:md5,13cbc8d458c6dd30e94f46b00f8bda00; classtype:trojan-activity; sid:2018046; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Neverquest.InfoStealer Configuration Request CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/forumdisplay.php?fid="; http_uri; content:"id="; http_client_body; depth:3; content:"&info="; http_client_body; distance:0; reference:url,blogs.mcafee.com/mcafee-labs/neverquest-banking-trojan-wild; classtype:trojan-activity; sid:2018047; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/AdLoad.Downloader Download"; flow:established,to_server; content:"/v"; http_uri; content:"&product_name="; http_uri; content:"&installer_file_name="; http_uri; pcre:"/\x2Fv[0-9]{3,4}[\x2F\x3F]/U"; reference:url,malwaretips.com/blogs/trojandownloader-win32-adload-da-virus/; classtype:trojan-activity; sid:2018048; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent EXE2"; flow: established,to_server; content:"User-Agent\|3A\| EXE2\|0d 0a\|"; nocase; http_header; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018049; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Magania"; flow: established,to_server; flowbits:set,EXE2; flowbits:noalert; content:"GET"; http_method; content:".txt"; http_uri; content:"User-Agent\|3a\| EXE2"; fast_pattern; nocase; http_header; content:!"Accept\|3a\| "; nocase; http_header; content:!"Referer\|3a\| "; nocase; http_header; content:!"Connection\|3a\| "; nocase; http_header; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018050; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent Mozi11a"; flow: established,to_server; content:"User-Agent\|3A\| Mozi11a\|0d 0a\|"; http_header; reference:md5,3cf3d4d5de51a8c37e11595159179571; classtype:trojan-activity; sid:2018051; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot Generic URI/Header Struct .bin"; flow:established,to_server; content:"GET"; http_method; content:".bin"; http_uri; fast_pattern:only; pcre:"/\/[a-z0-9]{1,31}\.bin$/U"; content:!"Referer\|3a\|"; http_header; content:!"Accept-Encoding\|3a\|"; http_header; content:!"Accept-Language\|3a\|"; http_header; content:" MSIE "; http_header; content:!"AskTbARS"; http_header; content:!".passport.net\|0d 0a\|"; http_header; content:!".microsoftonline-p.net\|0d 0a\|"; http_header; content:!".symantec.com\|0d 0a\|"; http_header; content:!".qq.com\|0d 0a\|"; http_header; content:"\|0d 0a 0d 0a\|"; classtype:trojan-activity; sid:2018052; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect 8x8 script tag"; flow:established,from_server; file_data; content:".php?id="; content:"/"; distance:-17; within:1; pcre:"/^[a-z0-9A-Z]?[A-Z0-9][a-z0-9A-Z]?\.php\?id=\d{8}[\x22\x27]/R"; content:"<script"; nocase; pcre:"/^(?:(?!<\/script>).)?\ssrc\s?=\s?[\x22\x27][^\x22\x27]+?\/[a-z0-9A-Z]{8}\.php\?id=\d{8}[\x22\x27]/Rsi"; classtype:trojan-activity; sid:2018053; rev:1;) +
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/fwsnort ^
@@ -14,9 +14,9 @@ # # Credits: (see the CREDITS file) # -# Version: 1.6.3 +# Version: 1.6.4 # -# Copyright (C) 2003-2012 Michael Rash (mbr@cipherdyne.org) +# Copyright (C) 2003-2014 Michael Rash (mbr@cipherdyne.org) # # License - GNU Public License version 2 (GPLv2): # @@ -102,7 +102,7 @@ my $fwsnort_conf = $CONFIG_DEFAULT; ### version number -my $version = '1.6.3'; +my $version = '1.6.4'; my %ipt_hdr_opts = ( 'src' => '-s', @@ -3566,6 +3566,7 @@ 'Flush' => \$ipt_flush, # Synonym for --ipt-flush 'ipt-list' => \$ipt_list, # List any existing fwsnort chains. 'List' => \$ipt_list, # Synonym for --ipt-list + 'fw-list' => \$ipt_list, # Synonym for --ipt-list 'ipt-del' => \$ipt_del_chains, # Delete fwsnort chains. 'ip6tables' => \$enable_ip6tables, # Turn on ip6tables mode. '6' => \$enable_ip6tables, # Synonym for --ip6tables. @@ -4624,11 +4625,11 @@ then echo " " echo "[+] Reverting to original iptables policy..." - grep -v FWSNORT $config{'FWSNORT_SAVE_FILE'} \| exec $restore_bin + $cmds{'grep'} -v FWSNORT $config{'FWSNORT_SAVE_FILE'} \| exec $restore_bin else echo " " echo "[+] Splicing fwsnort $abs_num rules into the iptables policy..." - exec $restore_bin < $config{'FWSNORT_SAVE_FILE'} + $cmds{'cat'} $config{'FWSNORT_SAVE_FILE'} \| exec $restore_bin fi exit @@ -4659,8 +4660,10 @@ } sub set_non_root_values() { + if ($fwsnort_conf eq $CONFIG_DEFAULT) { - $fwsnort_conf = './fwsnort.conf'; + die "[*] Must specify a path to readable ", + "fwsnort.conf file when not running as root."; } &set_defaults_without_ipt_test();
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/fwsnort.8 ^
@@ -82,7 +82,8 @@ .B /etc/fwsnort/fwsnort.conf for almost all configuration parameters. fwsnort can be made to override this path by specifying a different file on the command -line with the \-\-config option. +line with the \-\-config option. When fwsnort is not executed as root, then +a path to a readable fwsnort.conf file is required. .TP .BR \-\^\-update-rules Download the latest Emerging Threats rules from http://www.emergingthreats.net
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/fwsnort.conf ^
@@ -103,6 +103,8 @@ ### system binaries shCmd /bin/sh; +catCmd /bin/cat; +grepCmd /bin/grep; echoCmd /bin/echo; tarCmd /bin/tar; wgetCmd /usr/bin/wget;
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/install.pl ^
@@ -51,6 +51,19 @@ my %config = (); +my @cmd_search_paths = qw( + /bin + /sbin + /usr/bin + /usr/sbin + /usr/local/bin + /usr/local/sbin +); + +my %exclude_cmds = ( + 'ip6tables' => '' +); + ### map perl modules to versions my %required_perl_modules = ( 'NetAddr::IP' => { @@ -74,6 +87,7 @@ my $force_mod_re = ''; my $exclude_mod_re = ''; my $deps_dir = 'deps'; +my $is_root = 0; my $help = 0; my $locale = 'C'; ### default LC_ALL env variable my $no_locale = 0; @@ -130,8 +144,8 @@ &check_commands(); ### check to make sure we are running as root -$< == 0 && $> == 0 or die "You need to be root (or equivalent UID 0", - " account) to install/uninstall fwsnort!\n"; + die "You need to be root (or equivalent UID 0", + " account) to install/uninstall fwsnort!\n" unless &is_root(); if ($uninstall) { &uninstall(); @@ -447,7 +461,7 @@ for my $dir ($install_root, $sbin_dir, $config{'LOG_DIR'}, - $config{'LIB_DIR'}, + $config{'LIBS_DIR'}, $config{'STATE_DIR'}, $config{'QUEUE_RULES_DIR'}, $config{'ARCHIVE_DIR'}, @@ -527,16 +541,14 @@ return; } +### check paths to commands and attempt to correct if any are wrong. sub check_commands() { - my @path = qw( - /bin - /usr/bin - /usr/local/bin - ); + CMD: for my $cmd (keys %cmds) { + next CMD if defined $exclude_cmds{$cmd}; unless (-x $cmds{$cmd}) { my $found = 0; - PATH: for my $dir (@path) { + PATH: for my $dir (@cmd_search_paths) { if (-x "${dir}/${cmd}") { $cmds{$cmd} = "${dir}/${cmd}"; $found = 1; @@ -544,15 +556,27 @@ } } unless ($found) { - die "[] Could not find $cmd, edit the ", - "config section of install.pl"; + die "\n[] Could not find $cmd anywhere!!! ", + "Please edit the config section to include the path to ", + "$cmd."; } } + unless (-x $cmds{$cmd}) { + return unless &is_root(); + die "\n[*] $cmd is located at ", + "$cmds{$cmd} but is not executable by uid: $<"; + } } - return; } +sub is_root() { + if ($< == 0 and $> == 0) { + $is_root = 1; + } + return $is_root; +} + sub query_preserve_config() { return 0 if $install_test_dir; my $ans = '';
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/packaging/fwsnort-nodeps.spec ^
@@ -1,5 +1,5 @@ %define name fwsnort -%define version 1.6.3 +%define version 1.6.4 %define release 1 %define fwsnortlogdir /var/log/fwsnort
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/packaging/fwsnort-require-makemaker.spec ^
@@ -1,5 +1,5 @@ %define name fwsnort -%define version 1.6.3 +%define version 1.6.4 %define release 1 %define fwsnortlibdir %_libdir/%name %define fwsnortlogdir /var/log/fwsnort @@ -187,6 +187,9 @@ %_libdir/%name %changelog +* Sun Feb 02 2014 Michael Rash <mbr@cipherydne.org> +- fwsnort-1.6.4 release + * Fri Dec 21 2012 Michael Rash <mbr@cipherydne.org> - fwsnort-1.6.3 release
[-] [+]	Changed	fwsnort-1.6.4.tar.gz/packaging/fwsnort.spec ^
@@ -1,5 +1,5 @@ %define name fwsnort -%define version 1.6.3 +%define version 1.6.4 %define release 1 %define fwsnortlibdir %_libdir/%name %define fwsnortlogdir /var/log/fwsnort @@ -186,6 +186,9 @@ %_libdir/%name %changelog +* Sun Feb 02 2014 Michael Rash <mbr@cipherydne.org> +- fwsnort-1.6.4 release + * Fri Dec 21 2012 Michael Rash <mbr@cipherydne.org> - fwsnort-1.6.3 release