# # Emerging Threats Botnet Command and Control drop rules. # # These are generated from the EXCELLENT work done by the abuse.ch folks. All Volunteers, we're grateful for their dedication! # # https://ransomwaretracker.abuse.ch # https://zeustracker.abuse.ch # https://feodotracker.abuse.ch/ # # # SID's are 2410000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert tcp $HOME_NET any -> 154.35.64.82 80 (msg:"ET CNC Shadowserver Reported CnC Server Port 80 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405000; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 154.35.64.82 81 (msg:"ET CNC Shadowserver Reported CnC Server Port 81 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405001; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 89.248.162.231 443 (msg:"ET CNC Shadowserver Reported CnC Server Port 443 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405002; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 204.188.221.157 1337 (msg:"ET CNC Shadowserver Reported CnC Server Port 1337 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405003; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 213.193.246.34 2319 (msg:"ET CNC Shadowserver Reported CnC Server Port 2319 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405004; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 61.31.99.67 4042 (msg:"ET CNC Shadowserver Reported CnC Server Port 4042 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405005; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> [151.13.184.200,174.59.20.100] 4244 (msg:"ET CNC Shadowserver Reported CnC Server Port 4244 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405006; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 203.44.1.211 6556 (msg:"ET CNC Shadowserver Reported CnC Server Port 6556 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405007; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> [46.45.190.57,46.165.193.136,50.18.21.241,50.112.120.66,64.18.139.82,64.71.165.201,64.85.169.114,65.19.178.15,65.23.156.37,70.85.237.252,72.250.175.12,74.122.159.122,77.66.39.57,78.46.95.197,91.121.2.214,91.121.67.157,91.121.146.118,94.23.10.157,94.23.13.5,94.23.36.82,94.23.157.150,95.211.154.159,176.34.209.220,184.73.167.34,184.106.133.130,190.120.228.216,198.245.49.5,199.19.215.29,205.185.113.88,210.135.96.98,216.18.232.151] 6667 (msg:"ET CNC Shadowserver Reported CnC Server Port 6667 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405008; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 206.176.205.101 6668 (msg:"ET CNC Shadowserver Reported CnC Server Port 6668 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405009; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 154.35.64.54 6768 (msg:"ET CNC Shadowserver Reported CnC Server Port 6768 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405010; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> [83.68.16.198,204.188.197.205,212.113.137.225] 7000 (msg:"ET CNC Shadowserver Reported CnC Server Port 7000 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405011; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 154.35.64.107 8585 (msg:"ET CNC Shadowserver Reported CnC Server Port 8585 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405012; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> [65.23.157.127,66.154.121.231,85.25.100.223,85.25.109.116,188.126.73.62] 9000 (msg:"ET CNC Shadowserver Reported CnC Server Port 9000 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405013; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 109.196.130.50 10324 (msg:"ET CNC Shadowserver Reported CnC Server Port 10324 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405014; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 154.35.64.18 11830 (msg:"ET CNC Shadowserver Reported CnC Server Port 11830 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405015; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> 203.70.60.179 13001 (msg:"ET CNC Shadowserver Reported CnC Server Port 13001 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405016; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert tcp $HOME_NET any -> [92.243.30.231,193.107.16.224] 33333 (msg:"ET CNC Shadowserver Reported CnC Server Port 33333 Group 1"; flow:to_server,established; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 360, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2405017; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) # # Emerging Threats Botnet Command and Control drop rules. # # These are generated from the EXCELLENT work done by the abuse.ch folks. All Volunteers, we're grateful for their dedication! # # https://ransomwaretracker.abuse.ch # https://zeustracker.abuse.ch # https://feodotracker.abuse.ch/ # # # SID's are 2410000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert ip $HOME_NET any -> [109.196.130.50,151.13.184.200] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404000; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [154.35.64.107,154.35.64.18] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404001; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [154.35.64.54,154.35.64.82] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404002; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [174.59.20.100,176.34.209.220] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404003; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [184.106.133.130,184.73.167.34] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404004; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [188.126.73.62,190.120.228.216] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404005; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [193.107.16.224,198.245.49.5] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404006; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [199.19.215.29,203.44.1.211] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404007; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [203.70.60.179,204.188.197.205] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404008; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [204.188.221.157,205.185.113.88] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404009; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [206.176.205.101,210.135.96.98] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404010; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [212.113.137.225,213.193.246.34] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404011; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [216.18.232.151,46.165.193.136] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404012; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [46.45.190.57,50.112.120.66] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404013; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [50.18.21.241,61.31.99.67] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404014; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [64.18.139.82,64.71.165.201] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404015; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [64.85.169.114,65.19.178.15] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404016; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [65.23.156.37,65.23.157.127] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404017; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [66.154.121.231,70.85.237.252] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404018; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [72.250.175.12,74.122.159.122] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404019; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [77.66.39.57,78.46.95.197] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404020; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [83.68.16.198,85.25.100.223] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404021; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [85.25.109.116,89.248.162.231] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404022; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.121.146.118,91.121.2.214] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404023; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.121.67.157,92.243.30.231] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404024; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [94.23.10.157,94.23.13.5] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404025; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [94.23.157.150,94.23.36.82] any (msg:"ET CNC Shadowserver Reported CnC Server IP group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404026; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) alert ip $HOME_NET any -> [95.211.154.159] any (msg:"ET CNC Shadowserver Reported CnC Server group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404027; rev:5218; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Shadowserver, signature_severity Major, created_at 2012_05_04, updated_at 2018_12_19;) #Zeus Tracker alert ip $HOME_NET any -> [101.200.81.187,103.19.89.118,103.230.84.239,103.4.52.150,103.7.59.135] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404150; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [104.247.219.41,109.127.8.242,109.229.210.250,109.229.36.65,113.29.230.24] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404151; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [120.31.134.133,120.63.157.195,124.110.195.160,128.210.157.251,139.59.36.231] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404152; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [141.8.226.58,151.97.190.239,162.223.94.56,176.107.179.60,177.4.23.159] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404153; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [180.182.234.200,185.165.170.80,185.35.138.22,185.6.242.251,187.174.252.247] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404154; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [187.191.98.202,188.219.154.228,188.241.140.212,188.241.140.222,188.241.140.224] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404155; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [188.247.135.53,188.247.135.58,188.247.135.74,188.247.135.99,190.128.29.1] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404156; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [190.15.192.25,192.95.9.65,192.99.148.26,192.99.19.4,193.107.19.24] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404157; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [193.107.19.244,193.146.210.69,194.109.64.131,194.226.41.11,195.20.41.205] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404158; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [195.20.41.233,195.20.42.1,195.20.44.100,195.20.44.109,195.20.44.252] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404159; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [195.20.53.157,198.54.117.200,199.187.129.193,199.201.121.185,199.7.234.100] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404160; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [201.149.83.183,202.144.144.195,202.29.22.38,202.29.230.198,202.67.13.107] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404161; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [203.170.193.23,209.164.84.70,210.245.8.131,210.4.76.221,212.1.215.117] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404162; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [212.44.64.202,213.147.67.20,216.176.100.240,216.176.184.21,216.215.112.149] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404163; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [216.218.135.114,222.29.197.232,31.7.63.146,37.143.11.189,46.4.150.111] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404164; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [50.63.202.63,58.195.1.4,59.157.4.2,60.13.186.5,60.241.184.209] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404165; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [63.249.152.74,64.127.71.73,64.182.6.61,64.85.233.8,66.116.153.142] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404166; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [66.45.245.150,66.7.198.165,67.214.175.69,78.138.104.167,80.65.93.241] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404167; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [80.78.250.26,82.221.113.145,82.221.129.19,82.221.136.4,83.212.117.233] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404168; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [83.69.233.121,84.38.132.16,87.236.210.110,87.236.210.124,87.237.198.245] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404169; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [87.246.143.242,87.254.167.37,89.108.85.65,89.223.26.52,89.252.186.142] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404170; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.107.119.3,91.108.176.118,91.195.240.117,91.236.75.11,93.157.63.185] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404171; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) alert ip $HOME_NET any -> [93.89.226.17,94.103.36.55] any (msg:"ET CNC Zeus Tracker Reported CnC Server group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,zeustracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404172; rev:5218; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Banking_Trojan, signature_severity Major, created_at 2013_10_15, updated_at 2018_12_19;) #Feodo Tracker #Ransomware Tracker alert ip $HOME_NET any -> [103.224.182.250,103.43.75.87] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404400; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [104.131.182.103,104.238.173.18] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404401; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [107.170.20.33,107.181.174.34] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404402; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [107.181.187.228,109.234.35.123] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404403; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [109.234.35.128,109.234.35.75] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404404; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [109.237.111.168,109.248.222.47] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404405; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [109.248.222.50,138.201.118.102] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404406; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [138.201.93.46,138.201.95.72] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404407; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [139.59.147.0,141.8.226.58] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404408; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [146.120.110.46,146.185.137.40] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404409; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [146.185.155.126,146.185.249.189] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404410; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [148.163.73.29,149.154.152.108] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404411; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [149.154.157.14,149.154.159.179] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404412; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [149.154.68.190,149.202.109.202] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404413; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [149.202.52.215,151.236.14.51] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404414; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [151.236.15.226,158.255.6.109] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404415; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [158.255.6.115,158.69.223.5] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404416; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [164.132.40.47,176.107.185.19] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404417; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [176.114.3.173,176.121.14.95] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404418; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [176.31.127.168,176.31.47.100] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404419; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [176.53.21.105,176.9.172.166] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404420; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [178.62.232.244,178.63.238.185] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404421; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.100.85.150,185.102.136.67] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404422; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.102.136.77,185.106.122.38] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404423; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.115.140.170,185.117.153.176] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404424; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.117.72.105,185.117.72.94] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404425; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.127.25.176,185.129.148.6] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404426; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.141.25.108,185.141.25.150] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404427; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.14.28.30,185.14.29.188] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404428; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.14.29.64,185.14.30.97] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404429; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.146.169.16,185.159.128.119] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404430; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.162.8.101,185.162.8.94] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404431; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.17.120.130,185.179.190.31] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404432; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.22.67.108,185.22.67.27] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404433; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.46.11.239,185.46.11.73] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404434; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.5.250.135,185.67.2.156] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404435; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.75.46.122,185.75.46.4] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404436; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.75.46.73,185.80.148.137] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404437; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.82.216.213,185.82.216.45] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404438; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.82.217.102,185.82.217.29] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404439; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [185.86.78.3,185.92.220.35] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404440; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [188.120.239.230,188.127.230.60] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404441; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [188.127.231.116,188.127.231.124] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404442; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [188.127.239.48,188.127.239.53] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404443; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [188.127.251.99,188.138.88.184] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404444; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [188.166.168.250,192.121.16.196] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404445; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [192.71.213.69,193.0.178.74] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404446; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [193.124.180.6,193.124.185.87] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 48"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404447; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [193.32.68.48,193.70.86.51] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 49"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404448; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [193.9.28.13,193.9.28.16] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 50"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404449; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [193.9.28.254,193.9.28.49] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 51"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404450; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [194.1.236.126,194.28.87.26] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 52"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404451; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [194.31.59.5,194.58.56.103] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 53"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404452; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [194.58.56.184,194.58.56.85] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 54"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404453; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [195.123.209.122,195.123.209.23] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 55"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404454; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [195.123.211.6,195.123.218.226] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 56"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404455; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [195.154.241.208,195.154.69.90] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 57"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404456; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [195.19.192.99,195.43.95.198] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 58"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404457; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [195.64.154.114,195.64.154.126] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 59"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404458; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [195.64.154.14,207.244.97.230] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 60"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404459; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [212.109.192.235,212.109.219.31] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 61"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404460; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [212.47.223.19,213.159.214.86] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 62"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404461; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [213.32.66.16,217.106.238.89] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 63"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404462; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [217.12.199.151,217.12.199.244] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 64"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404463; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [217.12.199.90,217.12.199.94] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 65"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404464; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [217.12.203.233,217.12.218.158] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 66"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404465; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.148.99.188,31.148.99.241] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 67"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404466; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.184.196.74,31.184.196.75] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 68"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404467; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.184.196.78,31.184.197.119] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 69"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404468; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.184.197.126,31.184.197.72] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 70"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404469; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.184.233.106,31.202.128.249] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 71"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404470; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.202.130.9,31.41.44.130] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 72"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404471; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.41.44.21,31.41.44.246] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 73"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404472; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.41.44.45,31.41.47.37] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 74"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404473; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [31.41.47.41,31.41.47.50] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 75"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404474; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [37.139.2.214,37.139.27.52] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 76"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404475; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [37.139.30.95,37.235.50.29] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 77"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404476; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [37.235.53.18,37.235.53.210] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 78"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404477; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [37.46.131.153,45.55.192.133] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 79"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404478; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [46.108.39.18,46.148.20.46] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 80"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404479; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [46.165.253.93,46.17.40.234] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 81"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404480; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [46.17.44.153,46.183.165.45] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 82"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404481; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [46.38.52.225,46.4.239.76] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 83"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404482; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [46.8.44.39,46.8.45.18] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 84"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404483; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [51.254.181.122,51.254.19.227] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 85"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404484; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [51.254.240.45,51.254.240.60] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 86"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404485; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [51.254.240.89,51.254.55.171] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 87"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404486; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [51.255.105.2,51.255.107.10] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 88"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404487; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [51.255.107.20,51.255.107.37] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 89"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404488; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [51.255.107.8,51.255.172.55] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 90"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404489; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.135.76.18,5.152.199.70] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 91"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404490; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.187.0.137,5.187.5.171] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 92"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404491; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.188.63.23,5.188.63.30] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 93"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404492; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.196.200.229,5.196.200.247] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 94"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404493; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.196.99.239,5.34.180.135] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 95"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404494; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.34.183.136,5.34.183.195] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 96"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404495; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.34.183.21,5.34.183.40] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 97"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404496; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.39.76.12,54.67.27.43] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 98"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404497; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [5.79.106.152,5.9.253.173] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 99"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404498; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [77.222.54.202,77.73.66.227] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 100"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404499; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [78.40.108.39,78.46.170.79] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 101"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404500; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [78.47.110.82,78.47.159.97] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 102"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404501; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [80.87.202.49,81.177.181.164] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 103"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404502; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [81.177.26.201,81.177.27.222] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 104"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404503; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [81.177.27.36,82.146.37.200] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 105"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404504; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [82.196.6.154,82.202.221.108] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 106"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404505; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [82.202.221.88,83.217.11.191] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 107"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404506; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [83.217.11.193,83.217.25.239] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 108"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404507; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [83.217.26.168,83.217.8.127] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 109"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404508; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [83.217.8.155,83.217.8.234] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 110"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404509; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [83.220.172.182,84.19.170.244] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 111"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404510; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [84.19.170.249,85.25.138.187] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 112"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404511; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [86.104.134.144,88.198.119.177] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 113"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404512; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [88.214.236.11,88.214.236.182] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 114"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404513; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [88.214.237.45,88.214.237.57] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 115"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404514; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [89.108.73.124,89.108.83.189] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 116"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404515; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [89.108.83.196,89.108.84.132] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 117"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404516; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [89.108.84.155,89.108.84.87] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 118"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404517; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [89.108.85.163,91.121.97.170] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 119"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404518; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.142.90.46,91.142.90.61] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 120"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404519; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.191.184.158,91.195.12.131] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 121"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404520; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.195.12.143,91.195.12.187] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 122"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404521; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.200.14.109,91.200.14.124] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 123"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404522; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.200.14.139,91.200.14.73] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 124"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404523; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.201.202.12,91.201.202.232] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 125"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404524; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.201.41.91,91.203.5.145] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 126"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404525; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.203.5.181,91.209.77.86] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 127"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404526; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.210.166.51,91.211.119.71] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 128"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404527; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.211.119.98,91.214.71.101] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 129"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404528; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.219.28.231,91.219.28.44] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 130"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404529; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.219.29.106,91.219.29.41] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 131"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404530; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.219.29.48,91.219.29.55] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 132"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404531; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.219.29.64,91.219.29.66] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 133"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404532; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.219.29.81,91.219.30.254] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 134"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404533; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.219.31.14,91.219.31.15] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 135"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404534; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.219.31.18,91.223.180.240] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 136"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404535; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.223.88.205,91.223.88.50] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 137"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404536; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.226.92.202,91.226.92.204] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 138"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404537; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.226.92.208,91.226.93.113] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 139"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404538; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.226.93.124,91.228.239.216] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 140"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404539; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.229.188.178,91.230.211.103] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 141"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404540; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.230.211.139,91.230.211.187] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 142"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404541; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.230.211.26,91.234.32.192] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 143"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404542; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.234.33.149,91.234.33.215] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 144"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404543; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.234.34.98,91.234.35.216] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 145"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404544; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.234.35.243,91.237.247.24] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 146"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404545; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [91.239.235.130,91.247.37.137] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 147"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404546; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [92.222.71.26,92.63.87.106] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 148"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404547; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [92.63.87.134,92.63.87.48] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 149"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404548; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [92.63.87.53,93.170.104.127] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 150"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404549; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [93.170.123.119,93.170.123.185] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 151"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404550; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [93.170.123.60,93.170.131.108] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 152"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404551; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [93.170.169.52,94.242.57.45] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 153"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404552; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [94.242.59.239,95.163.107.41] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 154"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404553; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [95.181.171.58,95.213.184.10] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 155"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404554; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [95.213.195.123,95.46.114.205] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 156"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404555; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [95.46.114.80,95.46.114.97] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 157"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404556; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) alert ip $HOME_NET any -> [95.85.19.195,98.143.148.173] any (msg:"ET CNC Ransomware Tracker Reported CnC Server group 158"; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,ransomwaretracker.abuse.ch; threshold: type limit, track by_src, seconds 3600, count 1; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; classtype:trojan-activity; sid:2404557; rev:5218;metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag Ransomware, signature_severity Major, created_at 2016_04_03, updated_at 2018_12_19;) # # $Id: emerging-ciarmy.rules $ # Emerging Threats Ciarmy rules. # # Rules to block CiArmy.com identified Top Attackers (www.ciarmy.com) # # More information available at www.emergingthreats.net # # Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert ip [1.11.115.182,1.119.145.178,1.119.149.215,1.119.194.226,1.119.44.8,1.119.54.189,1.160.95.123,1.161.137.194,1.161.215.204,1.161.221.228,1.165.104.204,1.165.70.135,1.169.211.127,1.169.40.24,1.172.62.178,1.176.216.164,1.177.191.161,1.179.132.82,1.179.210.233,1.186.142.45,1.186.142.46,1.186.149.4,1.186.219.13,1.186.248.123,1.186.41.107,1.190.62.29,1.192.131.153,1.192.133.123,1.192.89.158,1.202.140.219,1.202.156.201,1.202.222.148,1.214.183.146,1.22.124.243,1.221.192.149,1.223.21.123,1.228.221.47,1.230.44.160,1.231.29.77,1.233.135.190,1.234.83.241,1.236.28.80,1.237.49.136,1.238.118.37,1.238.209.149,1.238.85.187,1.241.249.174,1.245.218.121,1.246.10.93,1.247.145.61] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 1"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403300; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [1.247.227.25,1.25.116.121,1.25.72.159,1.25.89.102,1.252.24.138,1.28.104.147,1.29.87.217,1.32.247.70,1.32.249.105,1.32.249.30,1.32.252.9,1.34.147.12,1.34.172.197,1.35.177.150,1.48.234.171,1.52.101.233,1.52.181.84,1.52.185.141,1.52.195.35,1.52.199.155,1.52.254.98,1.53.160.21,1.53.175.124,1.53.229.218,1.53.51.55,1.54.135.211,1.54.151.32,1.54.160.138,1.54.189.120,1.54.225.176,1.54.64.102,1.54.98.88,1.55.141.244,1.55.23.71,1.55.73.128,1.55.86.134,1.6.16.81,1.61.97.150,1.64.216.171,1.65.134.244,1.65.218.200,1.71.189.100,1.82.190.141,1.82.190.58,1.82.228.31,1.85.36.126,2.106.53.187,2.133.129.254,2.133.182.113,2.134.19.90] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 2"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403301; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [2.137.121.173,2.177.91.238,2.228.72.228,2.232.186.7,2.233.135.1,2.237.153.168,2.238.113.127,2.35.185.196,2.38.158.60,2.42.202.174,2.45.131.197,2.50.137.43,2.50.48.109,2.50.5.7,2.51.167.97,2.55.76.245,2.61.76.20,2.62.168.190,2.63.109.124,2.92.225.245,4.16.208.109,4.71.172.13,5.101.40.188,5.101.40.252,5.101.40.47,5.101.40.81,5.101.65.5,5.102.225.71,5.103.13.6,5.116.151.9,5.119.45.118,5.128.121.2,5.129.151.26,5.129.212.113,5.130.0.38,5.135.149.185,5.135.174.223,5.135.19.69,5.136.143.222,5.136.182.202,5.136.238.100,5.137.23.152,5.140.128.239,5.140.128.84,5.140.130.178,5.140.131.156,5.140.139.80,5.140.142.173,5.140.147.112,5.140.147.121] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 3"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403302; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [5.140.147.31,5.140.148.187,5.140.149.108,5.140.155.174,5.140.155.188,5.140.157.144,5.140.159.40,5.140.186.112,5.140.205.143,5.140.244.150,5.140.245.129,5.140.247.93,5.140.249.0,5.140.250.156,5.140.252.37,5.140.255.204,5.140.255.41,5.140.32.88,5.140.33.224,5.140.34.101,5.140.34.170,5.140.35.214,5.140.35.32,5.140.36.233,5.140.38.107,5.140.38.133,5.140.38.66,5.140.39.12,5.140.39.43,5.141.64.48,5.141.65.105,5.141.67.192,5.141.68.182,5.141.68.23,5.141.68.8,5.141.69.70,5.141.70.106,5.141.70.124,5.141.70.126,5.141.70.141,5.141.70.227,5.141.70.62,5.141.70.90,5.141.71.118,5.141.74.143,5.141.75.108,5.141.77.106,5.141.77.133,5.141.78.165,5.144.14.2] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 4"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403303; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [5.145.160.162,5.149.200.77,5.149.203.21,5.150.215.84,5.150.239.78,5.15.44.31,5.152.140.31,5.152.140.93,5.152.211.71,5.153.180.183,5.153.233.90,5.154.15.77,5.157.49.107,5.164.201.229,5.167.187.238,5.167.66.104,5.17.128.198,5.17.138.126,5.17.163.30,5.172.151.106,5.172.187.19,5.175.79.100,5.187.10.1,5.188.10.245,5.188.206.10,5.188.206.14,5.188.206.22,5.188.206.245,5.188.206.249,5.188.206.252,5.188.206.254,5.188.206.6,5.188.210.12,5.188.210.46,5.188.211.100,5.188.67.16,5.188.87.21,5.188.87.82,5.189.144.212,5.189.3.70,5.196.131.36,5.199.130.107,5.200.64.54,5.200.70.129,5.2.33.212,5.204.72.177,5.225.178.121,5.226.92.62,5.228.0.142,5.228.100.119] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 5"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403304; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [5.228.104.124,5.228.105.49,5.228.107.157,5.228.10.96,5.228.1.12,5.228.128.130,5.228.134.221,5.228.138.174,5.228.145.91,5.228.147.144,5.228.150.11,5.228.16.194,5.228.162.27,5.228.166.5,5.228.167.64,5.228.174.218,5.228.180.27,5.228.182.181,5.228.194.75,5.228.19.55,5.228.196.63,5.228.207.118,5.228.209.124,5.228.209.79,5.228.21.121,5.228.214.241,5.228.225.166,5.228.225.21,5.228.225.255,5.228.227.11,5.228.232.97,5.228.236.99,5.228.238.226,5.228.243.0,5.228.26.216,5.228.28.129,5.228.31.44,5.228.33.179,5.228.38.192,5.228.56.180,5.228.64.148,5.228.69.97,5.228.75.234,5.228.76.98,5.228.90.190,5.228.94.115,5.228.98.209,5.248.142.216,5.250.136.139,5.250.81.10] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 6"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403305; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [5.34.160.38,5.36.201.70,5.37.211.155,5.44.168.66,5.44.196.17,5.45.72.109,5.45.80.15,5.53.27.158,5.55.172.235,5.55.250.237,5.59.139.30,5.63.151.100,5.63.151.101,5.63.151.102,5.63.151.103,5.63.151.104,5.63.151.105,5.63.151.106,5.63.151.107,5.63.151.108,5.63.151.109,5.63.151.110,5.63.151.111,5.63.151.112,5.63.151.113,5.63.151.114,5.63.151.115,5.63.151.116,5.63.151.117,5.63.151.118,5.63.151.119,5.63.151.120,5.63.151.121,5.63.151.122,5.63.151.123,5.63.151.124,5.63.151.125,5.63.151.126,5.63.164.145,5.66.111.183,5.67.135.9,5.79.119.231,5.79.122.142,5.79.97.101,5.8.48.17,5.8.54.27,5.95.35.109,5.98.136.173,8.25.232.251,8.25.234.46] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 7"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403306; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [8.27.114.234,8.30.180.201,8.3.123.95,8.42.194.106,8.42.227.75,8.9.30.197,8.9.30.225,8.9.3.191,8.9.36.129,8.9.4.160,8.9.6.175,12.146.192.2,12.160.185.134,12.163.232.138,12.166.193.125,12.2.202.77,12.201.56.35,12.235.205.10,12.245.15.242,12.43.5.219,13.66.187.147,13.66.221.70,13.69.76.72,13.71.81.92,13.77.146.178,13.78.44.125,13.94.189.75,14.1.66.210,14.102.92.81,14.102.95.226,14.116.138.221,14.116.138.77,14.116.207.212,14.134.19.1,14.134.25.28,14.137.82.140,14.139.110.164,14.139.58.227,14.139.58.236,14.141.67.86,14.142.101.165,14.142.213.98,14.143.178.36,14.143.196.91,14.152.49.85,14.152.73.135,14.152.73.136,14.152.90.3,14.156.50.182,14.157.138.3] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 8"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403307; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [14.160.24.102,14.161.12.236,14.161.44.40,14.161.6.201,14.167.140.100,14.169.227.128,14.169.231.142,14.17.127.70,14.17.74.31,14.17.76.250,14.17.79.13,14.17.81.96,14.17.88.38,14.17.88.7,14.172.70.224,14.175.123.246,14.177.146.173,14.18.205.202,14.18.206.3,14.18.235.220,14.18.243.252,14.18.248.3,14.183.213.5,14.184.104.142,14.186.112.143,14.186.32.124,14.187.44.77,14.189.109.175,14.192.10.235,14.192.10.243,14.192.147.140,14.192.159.61,14.192.8.132,14.199.223.188,14.203.68.87,14.207.13.1,14.215.128.168,14.221.236.147,14.225.3.37,14.228.55.99,14.23.34.99,14.231.232.61,14.232.37.14,14.234.192.181,14.237.39.143,14.241.39.247,14.241.67.202,14.245.77.140,14.248.14.185,14.29.111.160] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 9"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403308; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [14.29.125.92,14.29.32.71,14.29.32.75,14.29.49.46,14.32.19.245,14.32.29.42,14.33.133.188,14.37.199.210,14.38.128.160,14.38.180.19,14.39.23.53,14.39.92.80,14.39.93.203,14.42.51.32,14.45.11.51,14.45.52.20,14.47.178.68,14.54.65.63,14.55.192.2,14.58.252.223,14.98.12.162,18.197.106.169,18.206.64.45,18.212.168.25,18.214.184.5,18.217.222.214,18.218.48.93,18.224.169.91,18.231.67.81,23.116.185.114,23.224.147.178,23.224.213.14,23.224.213.60,23.224.2.242,23.224.45.218,23.224.4.90,23.225.140.234,23.225.197.18,23.225.204.24,23.225.207.33,23.225.36.194,23.225.46.2,23.226.75.141,23.23.150.97,23.231.150.2,23.233.9.144,23.234.7.128,23.235.141.178,23.239.105.226,23.239.118.138] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 10"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403309; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [23.239.67.37,23.240.82.66,23.24.163.78,23.24.170.173,23.244.140.2,23.244.205.14,23.245.101.15,23.245.101.7,23.245.103.109,23.245.199.98,23.245.24.68,23.245.49.114,23.245.49.177,23.245.49.226,23.245.96.121,23.249.162.119,23.252.115.21,23.254.215.75,23.27.112.112,23.28.71.42,23.28.88.255,23.30.120.241,23.30.78.50,23.30.95.53,23.88.143.3,23.88.158.66,23.88.167.226,23.88.177.183,23.88.177.215,23.88.177.29,23.88.177.74,23.88.177.93,23.88.24.66,23.88.99.194,23.89.128.244,23.89.129.10,23.89.129.113,23.89.137.171,23.89.191.126,23.89.197.34,23.89.209.170,23.89.21.51,23.89.21.56,23.89.29.105,23.89.4.117,23.89.49.32,23.89.56.77,23.89.56.81,23.89.67.23,23.89.67.248] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 11"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403310; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [23.89.71.233,23.89.77.2,23.91.21.162,23.91.71.77,23.92.127.2,23.92.88.213,23.92.88.216,23.94.112.24,23.94.112.61,23.94.167.122,23.94.173.138,23.94.213.141,23.94.243.81,23.94.97.13,23.95.120.101,23.95.120.103,23.95.120.14,23.95.12.146,23.95.192.233,23.95.52.9,23.96.116.148,24.111.88.59,24.130.50.123,24.150.190.255,24.15.168.76,24.151.177.175,24.155.159.43,24.155.42.88,24.161.4.124,24.173.108.170,24.192.159.138,24.205.116.80,24.21.9.212,24.214.207.188,24.219.214.75,24.220.94.111,24.222.168.41,24.226.148.214,24.231.89.180,24.231.93.10,24.234.169.109,24.234.169.110,24.236.98.142,24.244.161.17,24.245.83.89,24.30.17.198,24.30.67.145,24.35.254.244,24.36.140.172,24.42.16.60] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 12"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403311; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [24.42.193.59,24.42.24.189,24.42.37.219,24.42.51.248,24.42.54.240,24.42.8.16,24.42.9.133,24.42.9.221,24.52.139.220,24.52.147.74,24.52.171.110,24.57.206.68,24.59.170.37,24.59.254.190,24.61.224.93,24.64.140.240,24.7.54.232,24.86.232.52,24.96.135.231,27.1.255.227,27.102.102.150,27.102.102.194,27.102.102.247,27.102.106.224,27.102.107.156,27.102.112.83,27.102.113.108,27.102.113.142,27.102.113.17,27.102.113.176,27.102.114.33,27.102.115.19,27.102.118.60,27.102.127.165,27.102.203.185,27.102.203.209,27.102.66.21,27.102.66.218,27.106.50.254,27.109.187.194,27.110.253.10,27.113.216.76,27.115.100.234,27.115.124.3,27.115.124.5,27.115.124.66,27.115.124.67,27.115.124.68,27.115.124.69,27.115.71.66] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 13"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403312; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [27.115.87.22,27.115.94.226,27.117.6.111,27.118.28.161,27.12.36.157,27.121.208.95,27.121.60.176,27.123.0.153,27.128.191.33,27.128.191.60,27.13.215.90,27.13.85.201,27.13.90.199,27.13.97.233,27.131.161.100,27.140.189.162,27.14.209.214,27.14.72.175,27.147.142.50,27.147.20.176,27.150.195.62,27.15.152.134,27.15.88.153,27.151.13.203,27.151.28.135,27.155.83.111,27.155.87.45,27.155.88.13,27.155.88.159,27.157.100.199,27.17.8.58,27.200.19.244,27.2.139.5,27.201.234.239,27.204.125.88,27.204.52.82,27.207.11.173,27.207.84.163,27.215.144.140,27.215.71.47,27.216.230.239,27.217.44.21,27.222.55.10,27.223.103.18,27.223.14.82,27.223.244.73,27.223.71.6,27.254.142.11,27.254.144.68,27.254.33.7] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 14"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403313; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [27.254.34.181,27.254.34.189,27.254.63.163,27.254.67.162,27.254.96.28,27.255.64.19,27.255.70.74,27.28.97.129,27.32.120.206,27.35.56.42,27.48.138.8,27.49.160.9,27.50.162.132,27.50.162.150,27.50.49.143,27.50.51.132,27.50.51.25,27.50.70.109,27.54.171.236,27.54.54.54,27.72.104.114,27.72.141.20,27.72.148.10,27.72.29.38,27.72.95.38,27.74.234.156,27.74.245.47,27.76.109.58,27.76.112.177,27.76.112.205,27.76.123.185,27.76.190.134,27.76.238.180,27.78.106.159,27.78.17.35,27.78.190.148,27.79.131.40,27.79.134.133,27.79.135.133,27.79.147.131,27.79.149.20,27.79.156.202,27.79.170.9,27.79.184.79,27.79.189.58,27.79.189.80,27.79.191.149,27.79.208.43,27.79.209.225,27.79.210.177] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 15"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403314; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [27.79.212.25,27.79.223.208,27.79.224.142,27.79.225.195,27.79.225.64,27.79.226.134,27.79.230.211,27.79.230.212,27.79.233.137,27.79.239.154,27.79.244.247,27.79.246.113,27.79.253.74,27.79.254.11,27.79.254.68,27.8.192.22,27.8.210.163,27.8.47.222,31.0.196.45,31.11.218.6,31.134.32.52,31.14.255.254,31.148.127.91,31.148.220.150,31.154.0.162,31.154.132.210,31.160.157.158,31.162.104.141,31.162.107.148,31.162.107.86,31.162.109.169,31.162.113.96,31.162.115.15,31.162.115.88,31.162.119.225,31.162.122.118,31.162.122.54,31.162.129.180,31.162.131.193,31.162.131.217,31.162.131.24,31.162.133.100,31.162.133.30,31.162.135.12,31.162.136.197,31.162.137.118,31.162.137.55,31.162.137.63,31.162.137.8,31.162.138.129] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 16"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403315; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [31.162.139.126,31.162.139.179,31.162.142.206,31.162.142.57,31.162.143.247,31.162.144.194,31.162.145.122,31.162.148.11,31.162.155.145,31.162.156.109,31.162.156.46,31.162.156.5,31.162.158.205,31.162.160.111,31.162.163.34,31.162.165.16,31.162.166.7,31.162.167.64,31.162.172.161,31.162.173.192,31.162.173.23,31.162.174.147,31.162.174.181,31.162.178.11,31.162.179.48,31.162.183.157,31.162.183.67,31.162.185.70,31.162.186.43,31.162.188.181,31.162.72.7,31.162.73.82,31.162.74.128,31.162.90.39,31.162.90.4,31.162.94.202,31.162.96.126,31.162.96.190,31.163.100.183,31.163.101.129,31.163.102.149,31.163.105.169,31.163.106.123,31.163.107.135,31.163.108.244,31.163.108.88,31.163.109.253,31.163.109.81,31.163.110.65,31.163.111.89] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 17"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403316; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [31.163.113.129,31.163.114.176,31.163.114.236,31.163.117.143,31.163.117.55,31.163.119.220,31.163.121.103,31.163.121.14,31.163.121.202,31.163.123.183,31.163.123.196,31.163.124.142,31.163.125.188,31.163.132.180,31.163.133.207,31.163.133.4,31.163.135.129,31.163.142.132,31.163.142.54,31.163.144.22,31.163.144.61,31.163.145.224,31.163.147.59,31.163.150.61,31.163.154.220,31.163.156.1,31.163.159.107,31.163.160.142,31.163.163.244,31.163.166.40,31.163.167.136,31.163.175.210,31.163.176.83,31.163.177.181,31.163.177.210,31.163.178.133,31.163.178.248,31.163.178.84,31.163.181.229,31.163.183.26,31.163.188.226,31.163.190.27,31.163.196.167,31.163.200.89,31.163.204.74,31.163.33.255,31.163.35.244,31.163.35.65,31.163.36.124,31.163.36.69] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 18"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403317; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [31.163.38.180,31.163.38.181,31.163.43.239,31.163.47.5,31.163.47.51,31.163.48.93,31.163.49.105,31.163.51.217,31.163.55.154,31.163.57.199,31.163.58.19,31.163.60.19,31.163.61.115,31.163.61.161,31.163.61.41,31.163.63.77,31.163.66.10,31.163.66.139,31.163.66.178,31.163.72.118,31.163.73.217,31.163.73.95,31.163.74.6,31.163.75.109,31.163.76.194,31.163.77.62,31.163.78.192,31.163.78.224,31.163.78.48,31.163.79.176,31.163.79.45,31.163.80.221,31.163.80.240,31.163.81.22,31.163.82.136,31.163.84.114,31.163.84.34,31.163.85.113,31.163.88.78,31.163.89.1,31.163.89.22,31.163.89.236,31.163.90.195,31.163.90.234,31.163.91.165,31.163.91.205,31.163.91.52,31.163.92.167,31.163.92.242,31.163.92.96] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 19"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403318; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [31.163.96.228,31.163.97.181,31.163.98.98,31.166.65.199,31.168.115.123,31.168.184.124,31.168.227.139,31.168.49.218,31.169.25.90,31.17.201.78,31.17.229.116,31.171.132.214,31.173.191.142,31.173.238.30,31.180.139.5,31.184.195.108,31.185.100.99,31.192.108.124,31.192.108.68,31.192.108.69,31.192.110.75,31.202.199.114,31.208.110.41,31.208.133.214,31.208.177.53,31.208.217.252,31.208.237.224,31.210.254.91,31.210.68.46,31.210.85.107,31.210.85.109,31.211.150.85,31.214.129.129,31.214.152.97,31.214.160.132,31.216.184.186,31.221.7.5,31.24.201.110,31.28.7.251,31.30.148.215,31.3.121.141,31.3.123.3,31.42.194.239,31.43.63.209,31.7.62.69,34.221.184.198,34.224.84.57,35.138.87.41,35.189.89.215,35.193.9.56] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 20"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403319; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [35.194.186.141,35.199.104.87,35.199.75.62,35.221.175.42,35.228.115.3,35.228.120.253,35.228.192.234,35.229.127.186,35.230.20.49,35.231.165.33,35.233.220.21,35.236.152.183,35.240.37.144,35.243.85.20,35.245.35.199,35.247.20.226,36.102.210.149,36.106.21.27,36.106.21.29,36.110.118.75,36.110.118.78,36.110.218.194,36.110.218.196,36.110.218.197,36.110.218.218,36.110.46.2,36.110.47.252,36.110.47.253,36.110.68.138,36.110.88.169,36.155.2.246,36.156.24.62,36.2.206.218,36.2.220.39,36.226.231.122,36.226.76.31,36.227.0.94,36.228.8.70,36.230.77.110,36.231.218.103,36.232.144.148,36.233.176.210,36.233.185.47,36.234.232.182,36.235.241.205,36.236.109.178,36.236.110.195,36.237.200.25,36.238.78.5,36.24.240.81] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 21"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403320; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [36.250.236.210,36.250.65.58,36.250.75.139,36.250.75.44,36.41.185.111,36.48.167.37,36.65.72.97,36.66.151.159,36.67.202.161,36.67.208.250,36.67.234.41,36.67.37.171,36.7.137.109,36.7.154.216,36.7.87.6,36.72.188.95,36.76.164.139,36.78.42.128,36.82.96.13,36.88.44.114,36.89.136.195,36.89.232.228,36.97.207.11,37.10.113.214,37.10.86.175,37.10.86.213,37.104.152.155,37.104.220.114,37.109.53.170,37.110.104.187,37.110.107.144,37.110.11.136,37.110.112.205,37.110.117.206,37.110.117.62,37.110.124.137,37.110.153.28,37.110.23.190,37.110.25.7,37.110.26.46,37.110.33.218,37.110.37.16,37.110.39.154,37.110.43.255,37.110.47.234,37.110.53.9,37.110.56.59,37.110.60.104,37.110.60.165,37.110.69.102] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 22"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403321; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [37.110.94.103,37.11.72.85,37.113.229.255,37.122.37.33,37.123.151.75,37.123.177.111,37.130.81.152,37.131.135.141,37.131.202.3,37.132.143.66,37.142.158.70,37.142.40.206,37.145.13.127,37.145.177.135,37.146.122.95,37.146.177.213,37.151.158.74,37.152.163.216,37.156.71.104,37.157.202.122,37.159.179.130,37.17.226.7,37.18.255.98,37.187.19.236,37.189.123.222,37.191.131.30,37.191.133.216,37.191.134.207,37.191.168.105,37.191.172.177,37.191.173.36,37.191.196.1,37.191.198.9,37.191.208.76,37.191.210.113,37.191.215.64,37.191.217.142,37.191.222.195,37.193.81.24,37.193.86.181,37.195.111.149,37.20.148.145,37.204.102.244,37.204.102.98,37.204.105.82,37.204.107.197,37.204.107.223,37.204.108.143,37.204.109.221,37.204.111.203] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 23"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403322; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [37.204.118.194,37.204.127.243,37.204.133.107,37.204.145.222,37.204.149.140,37.204.160.121,37.204.17.96,37.204.183.57,37.204.189.28,37.204.210.39,37.204.212.15,37.204.212.61,37.204.213.213,37.204.217.28,37.204.221.177,37.204.230.1,37.204.240.107,37.204.240.37,37.204.241.166,37.204.247.246,37.204.29.105,37.204.31.3,37.204.40.92,37.204.42.230,37.204.5.142,37.204.60.223,37.204.60.58,37.204.61.178,37.204.68.164,37.204.7.250,37.204.80.174,37.204.95.105,37.204.96.165,37.204.97.38,37.204.99.156,37.204.99.75,37.210.158.243,37.21.181.181,37.220.26.164,37.220.33.90,37.221.176.184,37.221.176.190,37.221.178.58,37.224.80.22,37.228.65.175,37.229.107.196,37.235.201.91,37.235.67.60,37.25.2.89,37.252.69.104] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 24"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403323; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [37.252.83.206,37.255.211.35,37.26.60.105,37.29.110.183,37.29.86.208,37.34.101.168,37.34.227.42,37.41.137.60,37.48.106.21,37.48.117.79,37.48.117.80,37.48.124.212,37.49.225.144,37.49.225.203,37.49.225.77,37.49.225.95,37.49.227.127,37.49.227.132,37.49.227.92,37.49.228.121,37.49.231.108,37.49.231.128,37.49.231.138,37.49.231.139,37.49.231.15,37.49.231.154,37.49.231.155,37.49.231.158,37.49.231.164,37.49.231.173,37.49.231.178,37.49.231.179,37.49.231.183,37.49.231.189,37.49.231.196,37.49.231.197,37.49.231.200,37.49.231.22,37.49.231.31,37.49.231.34,37.49.231.37,37.49.231.48,37.49.231.64,37.49.231.65,37.49.231.70,37.49.231.72,37.49.231.76,37.49.231.77,37.49.231.79,37.49.231.92] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 25"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403324; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [37.49.231.93,37.53.154.240,37.53.77.129,37.57.177.35,37.59.130.89,37.59.130.90,37.59.161.42,37.59.161.44,37.59.239.255,37.59.58.129,37.60.37.78,37.6.227.214,37.71.121.109,37.76.227.250,37.79.100.193,37.79.100.223,37.79.103.129,37.79.103.169,37.79.104.143,37.79.104.207,37.79.106.141,37.79.106.28,37.79.107.115,37.79.108.214,37.79.109.117,37.79.109.171,37.79.110.212,37.79.111.176,37.79.111.41,37.79.113.32,37.79.114.223,37.79.114.232,37.79.114.84,37.79.115.101,37.79.115.150,37.79.115.152,37.79.115.216,37.79.116.167,37.79.116.252,37.79.117.129,37.79.117.26,37.79.118.97,37.79.121.127,37.79.122.212,37.79.123.61,37.79.123.91,37.79.124.247,37.79.125.235,37.79.125.48,37.79.126.195] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 26"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403325; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [37.79.126.219,37.79.126.64,37.79.126.66,37.79.127.214,37.79.127.5,37.79.145.16,37.79.147.85,37.79.149.140,37.79.150.105,37.79.150.152,37.79.151.15,37.79.151.217,37.79.158.78,37.79.32.109,37.79.33.21,37.79.33.227,37.79.33.228,37.79.33.231,37.79.33.63,37.79.34.59,37.79.35.110,37.79.35.182,37.79.35.183,37.79.35.32,37.79.35.38,37.79.35.51,37.79.36.18,37.79.36.5,37.79.37.154,37.79.37.201,37.79.37.213,37.79.37.241,37.79.37.250,37.79.37.4,37.79.37.40,37.79.37.42,37.79.37.47,37.79.38.125,37.79.38.8,37.79.38.93,37.79.39.186,37.79.39.238,37.79.39.250,37.79.39.51,37.79.39.58,37.79.40.131,37.79.40.149,37.79.40.253,37.79.41.227,37.79.41.243] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 27"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403326; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [37.79.41.34,37.79.41.62,37.79.42.114,37.79.42.206,37.79.42.208,37.79.42.91,37.79.42.94,37.79.43.199,37.79.43.202,37.79.44.222,37.79.44.49,37.79.44.88,37.79.45.230,37.79.45.231,37.79.45.251,37.79.46.149,37.79.46.32,37.79.46.56,37.79.47.0,37.79.47.14,37.79.47.254,37.79.47.4,37.79.48.117,37.79.49.118,37.79.49.140,37.79.49.181,37.79.49.40,37.79.50.152,37.79.54.140,37.79.54.223,37.79.55.222,37.79.55.24,37.79.57.138,37.79.57.196,37.79.58.10,37.79.59.131,37.79.59.143,37.79.59.157,37.79.59.221,37.79.59.98,37.79.60.122,37.79.60.248,37.79.61.248,37.79.62.44,37.79.63.225,37.79.63.250,37.79.97.145,37.79.98.43,37.79.99.112,37.79.99.246] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 28"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403327; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [38.104.215.130,38.105.7.34,38.107.91.246,38.107.92.250,38.110.100.143,38.112.61.248,38.114.112.195,38.123.71.141,38.134.120.63,38.135.32.51,38.135.33.118,38.135.33.33,38.64.78.21,38.65.134.1,38.75.137.125,38.75.137.211,38.89.137.59,38.89.137.76,38.89.142.35,38.95.225.252,39.106.110.131,39.106.11.188,39.106.120.19,39.106.122.87,39.106.139.80,39.106.176.212,39.106.180.138,39.106.34.195,39.106.97.118,39.109.207.176,39.111.209.51,39.115.5.197,39.116.161.222,39.117.61.186,39.118.158.229,39.119.76.79,39.119.76.99,39.120.6.39,39.120.6.40,39.120.6.41,39.152.67.245,39.153.144.225,39.153.252.196,39.155.137.126,39.155.232.66,39.155.255.94,39.160.118.141,39.61.33.46,39.61.35.169,39.61.51.169] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 29"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403328; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [39.65.139.207,39.68.45.82,39.72.83.49,39.74.137.199,39.78.232.153,39.78.68.166,39.79.1.205,39.79.38.0,39.81.46.215,39.87.199.220,39.88.174.242,39.88.234.217,39.89.162.29,39.91.67.212,39.98.41.240,40.113.234.53,40.117.251.34,40.121.1.238,40.121.134.9,40.127.139.199,40.139.165.182,40.68.113.20,40.85.126.52,40.91.206.16,41.0.122.26,41.110.190.54,41.128.168.39,41.128.225.136,41.128.225.149,41.140.244.94,41.140.253.4,41.155.193.130,41.155.239.139,41.155.245.83,41.155.246.92,41.155.246.99,41.162.162.34,41.169.16.73,41.169.72.204,41.175.230.18,41.175.230.19,41.175.231.11,41.182.5.227,41.185.94.73,41.193.254.64,41.204.195.76,41.208.70.152,41.209.100.228,41.211.12.18,41.215.143.207] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 30"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403329; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [41.221.194.1,41.221.251.19,41.222.172.84,41.222.232.227,41.223.49.196,41.223.59.59,41.224.62.27,41.228.163.99,41.230.17.108,41.230.26.46,41.230.54.77,41.232.108.178,41.238.146.198,41.32.124.141,41.32.168.61,41.32.184.205,41.32.204.17,41.32.214.195,41.32.217.129,41.32.235.230,41.32.235.78,41.32.249.67,41.32.76.8,41.33.210.78,41.33.240.119,41.33.37.136,41.33.37.150,41.33.40.67,41.33.73.178,41.35.53.135,41.36.207.103,41.38.105.194,41.38.121.98,41.38.222.50,41.38.76.188,41.39.149.163,41.39.223.154,41.39.93.76,41.41.112.224,41.41.147.243,41.41.190.183,41.41.55.114,41.41.7.197,41.44.49.53,41.59.225.206,41.59.251.246,41.60.196.95,41.65.197.162,41.67.131.208,41.74.177.10] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 31"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403330; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [41.74.3.18,41.76.210.2,41.76.210.20,41.76.213.205,41.77.14.43,41.77.78.246,41.85.183.80,41.94.92.15,42.101.79.214,42.112.166.164,42.112.255.143,42.113.111.108,42.113.54.123,42.114.13.61,42.114.166.225,42.114.235.149,42.114.26.41,42.116.36.30,42.116.58.255,42.116.64.165,42.117.104.101,42.117.116.172,42.117.127.32,42.117.239.73,42.117.250.185,42.117.52.129,42.117.64.118,42.118.116.182,42.118.121.252,42.118.124.250,42.118.18.113,42.119.170.216,42.119.197.56,42.119.201.89,42.119.75.45,42.123.84.211,42.123.90.110,42.124.40.82,42.146.123.56,42.187.123.209,42.200.140.189,42.200.150.156,42.2.167.6,42.2.201.71,42.2.23.149,42.2.60.123,42.2.64.5,42.202.133.2,42.226.166.153,42.227.171.248] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 32"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403331; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [42.228.0.146,42.228.2.150,42.231.90.177,42.236.10.100,42.236.10.103,42.236.10.108,42.236.10.71,42.236.10.76,42.236.10.82,42.236.61.173,42.237.15.135,42.238.77.98,42.239.134.241,42.247.18.38,42.3.182.152,42.3.99.132,42.48.60.89,42.51.193.203,42.51.223.68,42.54.20.85,42.61.24.202,42.62.24.18,42.98.146.214,42.98.78.149,43.224.14.42,43.224.31.10,43.224.31.12,43.224.31.14,43.224.31.3,43.224.31.35,43.224.31.38,43.224.31.40,43.225.166.91,43.225.180.10,43.225.36.240,43.226.144.226,43.226.146.192,43.226.147.129,43.226.148.178,43.226.148.96,43.226.49.45,43.227.231.131,43.227.231.134,43.227.231.140,43.227.231.209,43.227.231.3,43.230.115.137,43.230.144.55,43.230.145.4,43.230.145.8] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 33"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403332; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [43.231.185.44,43.233.165.199,43.239.155.52,43.240.116.64,43.240.117.174,43.240.117.176,43.240.117.206,43.240.117.218,43.240.117.80,43.240.118.197,43.240.65.27,43.241.106.195,43.242.227.102,43.243.129.39,43.243.130.4,43.246.139.167,43.246.208.218,43.246.208.62,43.246.210.53,43.247.184.36,43.248.168.121,43.248.168.145,43.249.204.198,43.249.224.222,43.249.28.38,43.249.57.255,43.249.81.114,43.249.81.4,43.249.82.169,43.249.82.245,43.250.184.100,43.250.8.202,43.250.9.26,43.251.105.133,43.251.105.194,43.251.239.32,43.252.117.199,43.254.147.60,43.254.148.210,43.254.241.41,43.254.25.125,43.255.119.124,43.255.119.81,43.255.231.125,45.113.35.2,45.113.70.238,45.114.142.43,45.114.172.23,45.114.172.25,45.114.172.26] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 34"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403333; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [45.114.172.27,45.114.172.28,45.115.127.226,45.115.147.206,45.115.147.212,45.115.147.216,45.115.147.217,45.115.147.218,45.116.173.78,45.116.32.157,45.116.32.212,45.118.136.180,45.118.35.226,45.119.212.105,45.119.60.199,45.119.60.227,45.119.64.204,45.121.52.129,45.121.52.208,45.121.55.174,45.121.64.213,45.123.197.91,45.124.27.37,45.125.192.58,45.125.193.90,45.125.195.34,45.125.195.42,45.125.218.10,45.125.218.142,45.125.218.50,45.125.50.153,45.125.61.194,45.125.66.63,45.126.123.121,45.127.184.23,45.160.139.61,45.161.138.191,45.163.156.208,45.163.157.218,45.163.157.230,45.163.157.232,45.163.157.238,45.163.157.251,45.163.158.82,45.164.167.80,45.165.33.173,45.166.6.28,45.227.255.191,45.227.255.225,45.230.172.7] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 35"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403334; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [45.235.172.1,45.236.169.142,45.239.100.53,45.239.142.38,45.243.186.9,45.248.157.13,45.248.70.181,45.249.42.209,45.250.47.251,45.251.108.55,45.251.108.62,45.251.21.220,45.251.21.51,45.252.104.89,45.252.104.90,45.252.245.2,45.32.141.155,45.32.230.60,45.33.82.172,45.35.101.72,45.39.16.2,45.40.203.61,45.40.247.240,45.4.252.4,45.43.221.122,45.43.228.19,45.49.91.56,45.5.214.246,45.53.192.124,45.56.85.65,45.56.91.118,45.58.11.84,45.58.11.92,45.58.139.123,45.6.63.21,45.61.206.130,45.61.237.95,45.61.238.87,45.62.254.47,45.63.108.84,45.65.240.73,45.65.240.79,45.65.240.84,45.65.240.96,45.70.32.125,45.71.216.227,45.71.228.25,45.73.13.205,45.76.171.79,45.76.223.158] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 36"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403335; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [45.76.239.228,45.77.133.116,45.77.135.112,45.77.136.106,45.77.146.128,45.77.148.216,45.77.152.159,45.77.161.103,45.77.16.15,45.77.240.180,45.77.42.95,45.77.65.43,45.77.77.224,45.79.106.170,45.79.136.175,45.79.69.157,46.100.43.36,46.100.43.82,46.100.63.109,46.101.195.137,46.101.238.207,46.105.233.253,46.105.29.138,46.130.112.131,46.130.117.99,46.137.157.184,46.143.215.245,46.148.20.25,46.148.40.83,46.149.157.39,46.149.43.5,46.150.171.229,46.151.81.26,46.160.233.15,46.161.111.28,46.161.116.210,46.161.15.112,46.162.196.14,46.162.197.174,46.163.155.138,46.166.139.214,46.166.151.133,46.166.151.27,46.166.187.197,46.17.122.226,46.17.46.253,46.172.223.179,46.173.117.177,46.174.191.28,46.174.191.29] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 37"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403336; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [46.174.191.30,46.174.191.31,46.174.191.32,46.177.3.87,46.183.86.238,46.19.103.134,46.191.169.220,46.200.145.44,46.200.223.212,46.209.103.230,46.209.105.43,46.209.117.249,46.209.152.37,46.209.201.73,46.209.209.74,46.22.120.82,46.223.208.2,46.236.65.59,46.236.65.9,46.236.91.211,46.24.63.27,46.242.0.158,46.242.102.69,46.242.116.210,46.242.17.158,46.242.18.60,46.242.22.143,46.242.26.51,46.242.27.65,46.242.31.181,46.242.34.116,46.242.43.71,46.242.45.223,46.242.56.111,46.242.57.75,46.242.62.73,46.242.66.144,46.242.80.113,46.242.80.87,46.242.96.210,46.242.96.5,46.243.119.61,46.243.68.16,46.252.194.172,46.254.24.58,46.26.18.211,46.29.160.27,46.29.162.78,46.29.172.251,46.29.194.90] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 38"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403337; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [46.29.248.104,46.29.255.147,46.32.100.11,46.32.74.14,46.33.205.202,46.33.228.62,46.33.34.148,46.35.190.120,46.37.137.181,46.37.64.2,46.38.48.54,46.38.83.200,46.39.245.108,46.43.213.207,46.43.219.68,46.43.83.64,46.47.227.242,46.50.174.184,46.59.11.243,46.59.62.124,46.59.62.243,46.59.89.222,46.63.248.115,46.7.80.194,46.72.105.138,46.72.126.233,46.72.250.137,46.8.120.123,46.86.153.248,46.99.158.235,46.99.158.243,46.99.252.162,47.134.214.24,47.144.1.134,47.147.211.107,47.153.171.177,47.154.229.133,47.157.27.58,47.16.132.233,47.190.18.33,47.196.72.76,47.20.85.67,47.202.12.196,47.205.112.69,47.206.115.9,47.206.128.35,47.206.91.223,47.220.188.202,47.224.25.28,47.244.29.215] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 39"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403338; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [47.32.146.118,47.34.242.170,47.44.55.2,47.53.20.127,47.62.242.64,47.75.147.204,47.93.221.240,47.93.248.99,47.93.34.217,47.93.5.147,47.94.110.44,47.95.223.50,49.0.125.99,49.114.32.181,49.115.223.37,49.117.50.255,49.117.81.162,49.128.174.248,49.142.51.146,49.143.96.179,49.144.5.114,49.149.229.191,49.159.184.102,49.161.111.226,49.161.172.150,49.171.119.51,49.174.29.101,49.205.178.107,49.206.192.39,49.206.25.114,49.207.5.158,49.236.198.123,49.247.211.225,49.248.100.100,49.248.121.42,49.36.31.86,49.4.109.145,49.4.123.4,49.4.186.211,49.4.49.253,49.4.71.91,49.49.239.251,49.50.202.202,49.50.88.104,49.67.53.215,49.67.72.221,49.72.184.251,49.72.87.124,49.76.152.181,49.85.177.91] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 40"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403339; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [49.86.104.239,50.116.18.33,50.117.122.66,50.117.24.234,50.117.87.141,50.18.85.198,50.200.136.108,50.2.191.2,50.202.44.35,50.204.143.58,50.204.185.169,50.204.97.60,50.205.119.74,50.206.214.200,50.206.84.10,50.227.182.58,50.233.129.195,50.243.32.97,50.244.110.65,50.249.177.140,50.253.118.81,50.253.213.51,50.34.65.202,50.47.109.245,50.62.58.54,50.63.2.222,50.64.73.45,50.7.118.98,50.7.60.50,50.7.78.242,50.76.95.188,50.84.106.234,50.84.120.122,50.84.19.98,50.84.203.98,50.84.88.98,50.90.113.235,50.90.165.127,50.93.200.111,50.93.200.154,50.93.201.81,50.93.202.111,50.93.202.195,50.93.202.242,50.96.238.73,50.97.145.226,50.97.246.218,51.15.12.248,51.15.147.22,51.15.155.209] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 41"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403340; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [51.15.164.151,51.15.210.42,51.15.218.178,51.15.221.198,51.15.67.70,51.15.70.87,51.15.72.13,51.15.83.201,51.158.24.36,51.174.34.122,51.235.143.103,51.254.49.101,51.254.49.102,51.254.49.104,51.254.49.105,51.254.49.108,51.254.49.111,51.254.49.96,51.254.49.97,51.254.49.99,51.255.109.161,51.255.109.163,51.255.109.164,51.255.109.166,51.255.109.168,51.255.109.173,51.255.109.174,51.255.109.175,51.255.41.235,51.52.191.218,51.68.173.240,51.75.125.109,51.75.205.194,52.116.7.77,52.119.119.140,52.141.34.254,52.141.37.21,52.172.132.68,52.172.135.19,52.178.66.166,52.183.36.191,52.202.117.71,52.204.175.134,52.206.58.55,52.221.79.5,52.231.66.126,52.231.71.185,52.231.72.146,52.54.225.150,52.59.171.17] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 42"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403341; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [52.65.4.112,52.69.90.242,52.73.169.169,54.145.6.72,54.147.85.29,54.168.247.236,54.172.33.56,54.183.116.210,54.228.249.1,54.66.189.243,54.69.52.113,54.79.0.214,54.84.189.95,54.92.230.253,58.101.5.190,58.115.152.216,58.119.25.174,58.119.77.47,58.127.101.112,58.132.202.56,58.135.224.45,58.135.80.203,58.142.30.94,58.142.57.15,58.149.92.35,58.151.29.39,58.152.213.71,58.152.247.170,58.153.1.146,58.153.1.251,58.153.4.126,58.154.229.14,58.16.136.242,58.16.215.15,58.173.103.8,58.176.224.201,58.177.166.126,58.177.208.2,58.18.133.165,58.18.137.119,58.18.137.182,58.18.142.149,58.18.170.114,58.18.212.139,58.18.250.82,58.18.52.23,58.181.246.63,58.182.111.12,58.182.141.238,58.182.197.73] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 43"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403342; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [58.182.211.189,58.182.238.4,58.182.44.113,58.182.74.100,58.185.226.110,58.185.70.86,58.186.133.162,58.186.172.143,58.186.205.94,58.186.221.234,58.186.32.183,58.186.95.212,58.187.120.229,58.187.218.239,58.19.181.26,58.19.183.235,58.19.198.18,58.19.218.130,58.192.23.50,58.192.29.52,58.192.29.55,58.192.29.70,58.192.31.235,58.192.8.222,58.20.215.19,58.20.26.93,58.20.41.53,58.20.63.10,58.209.216.249,58.210.116.46,58.210.237.62,58.210.32.194,58.210.38.210,58.21.242.107,58.211.162.58,58.211.165.10,58.211.252.162,58.211.38.158,58.211.96.179,58.213.148.196,58.213.148.199,58.213.48.219,58.214.1.20,58.214.32.66,58.215.139.124,58.215.142.167,58.215.186.178,58.215.215.94,58.215.229.74,58.215.64.232] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 44"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403343; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [58.215.78.226,58.216.156.242,58.216.172.22,58.216.199.202,58.216.202.202,58.216.245.154,58.216.251.106,58.216.251.76,58.216.253.122,58.216.48.70,58.216.8.83,58.217.158.23,58.218.160.217,58.218.160.218,58.218.160.220,58.218.160.221,58.218.160.222,58.218.165.38,58.218.185.110,58.218.200.104,58.218.200.24,58.218.207.244,58.218.207.85,58.218.213.107,58.218.213.148,58.218.213.156,58.218.213.6,58.218.56.77,58.218.66.102,58.218.66.223,58.218.66.88,58.218.66.95,58.218.66.96,58.219.61.50,58.220.16.93,58.220.212.90,58.220.217.38,58.220.41.59,58.220.56.3,58.22.101.120,58.221.146.166,58.221.227.214,58.221.247.206,58.221.44.109,58.221.47.181,58.221.49.118,58.221.49.49,58.221.58.248,58.222.18.250,58.224.13.83] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 45"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403344; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [58.225.57.10,58.225.57.23,58.228.163.14,58.229.180.248,58.229.206.101,58.229.254.244,58.23.203.202,58.23.211.14,58.232.230.102,58.233.154.119,58.233.85.4,58.234.68.231,58.236.17.147,58.236.98.240,58.238.187.240,58.238.199.194,58.240.194.114,58.240.199.186,58.240.199.187,58.242.100.66,58.242.162.106,58.242.182.10,58.243.114.190,58.244.204.125,58.246.4.50,58.247.137.66,58.248.228.69,58.248.36.198,58.248.8.165,58.249.117.243,58.249.117.248,58.249.117.254,58.250.20.39,58.252.58.242,58.252.6.76,58.255.192.36,58.255.77.17,58.255.78.9,58.27.114.18,58.27.132.74,58.27.199.27,58.30.236.78,58.30.68.74,58.32.211.77,58.34.240.80,58.37.44.152,58.37.84.209,58.42.228.170,58.48.33.113,58.49.58.199] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 46"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403345; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [58.49.91.194,58.49.94.230,58.49.94.84,58.56.186.54,58.56.203.38,58.56.241.58,58.57.91.94,58.58.21.188,58.58.21.26,58.59.133.198,58.59.140.8,58.59.176.104,58.59.18.85,58.59.64.61,58.59.64.86,58.6.89.145,58.63.245.207,58.63.247.68,58.64.128.25,58.64.129.140,58.64.132.213,58.64.132.217,58.64.136.118,58.64.145.56,58.64.145.59,58.64.149.174,58.64.152.141,58.64.158.90,58.64.162.170,58.64.162.174,58.64.178.169,58.64.183.118,58.64.193.111,58.64.193.113,58.64.200.114,58.64.200.178,58.64.200.180,58.64.200.29,58.64.200.53,58.65.135.107,58.65.137.170,58.65.196.90,58.65.218.108,58.67.193.126,58.67.193.158,58.67.193.179,58.67.197.91,58.69.181.84,58.69.19.179,58.78.215.78] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 47"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403346; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [58.82.214.62,58.82.219.231,58.82.219.61,58.82.233.213,58.82.234.104,58.82.238.244,58.82.239.225,58.82.244.58,58.83.178.178,58.83.197.24,58.83.209.39,58.83.229.24,58.83.237.126,58.87.111.121,58.96.103.183,58.96.104.27,58.96.241.158,58.97.74.54,59.108.126.199,59.108.47.38,59.108.64.131,59.110.165.89,59.120.0.111,59.120.11.180,59.120.154.25,59.120.155.20,59.120.16.209,59.120.181.220,59.120.61.20,59.120.65.62,59.120.74.95,59.120.75.238,59.12.20.1,59.124.157.173,59.124.164.91,59.124.195.67,59.124.247.86,59.124.71.123,59.124.8.93,59.124.92.112,59.124.94.64,59.125.103.155,59.125.121.7,59.125.131.111,59.125.182.75,59.125.209.156,59.125.236.80,59.125.249.75,59.125.28.98,59.125.61.179] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 48"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403347; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [59.125.75.149,59.126.107.159,59.126.234.219,59.126.244.133,59.126.57.157,59.127.180.244,59.127.192.80,59.127.200.146,59.127.52.56,59.127.61.227,59.13.228.63,59.14.212.94,59.144.163.171,59.145.200.210,59.151.74.240,59.151.9.68,59.160.110.7,59.168.104.203,59.170.209.17,59.173.12.166,59.173.17.98,59.173.193.41,59.173.194.160,59.173.195.66,59.175.156.87,59.175.175.10,59.187.227.2,59.188.12.70,59.188.16.138,59.188.16.149,59.188.196.226,59.188.23.101,59.188.235.115,59.188.23.79,59.188.251.54,59.188.254.31,59.188.71.151,59.188.73.200,59.188.85.15,59.20.205.178,59.22.221.125,59.22.59.250,59.25.178.1,59.25.233.205,59.28.216.201,59.30.101.105,59.30.39.51,59.31.84.142,59.32.183.178,59.32.183.185] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 49"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403348; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [59.34.148.109,59.36.132.143,59.36.132.222,59.36.255.64,59.37.162.194,59.37.163.139,59.37.22.99,59.39.71.227,59.4.183.239,59.41.186.18,59.44.131.76,59.45.97.30,59.46.0.32,59.46.179.202,59.46.180.154,59.46.71.11,59.46.99.47,59.47.71.20,59.47.71.33,59.47.72.10,59.47.72.175,59.47.72.189,59.47.72.190,59.48.205.253,59.49.193.15,59.49.38.210,59.49.54.210,59.50.71.106,59.50.85.195,59.50.85.23,59.52.97.130,59.6.3.44,59.63.207.92,59.63.210.90,59.68.61.174,59.69.80.253,59.72.128.9,59.85.89.208,59.90.31.251,59.9.253.145,59.99.236.57,60.10.199.140,60.10.57.137,60.10.57.140,60.10.69.37,60.10.69.73,60.11.123.88,60.12.10.37,60.12.200.26,60.12.235.104] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 50"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403349; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [60.13.146.222,60.13.192.21,60.13.194.158,60.13.204.75,60.13.226.223,60.14.39.126,60.144.94.199,60.164.249.51,60.165.105.114,60.165.208.28,60.165.243.26,60.165.248.105,60.165.48.97,60.165.53.183,60.165.98.8,60.166.40.26,60.166.82.109,60.167.225.24,60.167.71.10,60.168.55.239,60.169.215.97,60.169.25.246,60.170.218.229,60.170.27.76,60.171.117.197,60.171.157.158,60.172.0.133,60.172.0.137,60.172.0.139,60.172.0.152,60.172.5.105,60.172.5.108,60.172.5.154,60.172.5.155,60.172.5.25,60.172.5.95,60.172.8.10,60.173.255.176,60.174.35.80,60.174.36.99,60.174.60.82,60.175.165.166,60.175.165.168,60.175.165.171,60.176.160.33,60.185.194.189,60.190.206.250,60.190.223.184,60.190.249.119,60.190.98.50] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 51"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403350; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [60.191.101.196,60.191.192.30,60.191.193.242,60.191.232.35,60.191.23.60,60.191.32.71,60.191.38.77,60.191.52.254,60.191.8.154,60.191.8.156,60.194.60.32,60.194.60.34,60.194.60.54,60.195.254.34,60.198.38.225,60.2.196.2,60.2.243.66,60.2.251.81,60.2.253.156,60.2.46.50,60.206.135.238,60.206.78.81,60.207.126.235,60.209.29.106,60.209.29.124,60.210.100.202,60.210.40.210,60.211.225.170,60.213.232.39,60.214.153.118,60.214.226.15,60.216.24.93,60.217.105.66,60.217.197.218,60.217.244.18,60.217.72.12,60.22.140.2,60.221.229.142,60.221.242.34,60.223.239.147,60.223.252.185,60.226.1.114,60.226.1.9,60.23.54.94,60.23.73.33,60.23.79.237,60.238.149.27,60.244.115.166,60.245.59.177,60.248.109.203] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 52"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403351; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [60.248.112.163,60.248.123.163,60.248.125.125,60.248.139.169,60.248.163.219,60.248.164.248,60.248.164.249,60.248.26.103,60.248.80.218,60.249.145.32,60.249.24.74,60.249.253.179,60.249.32.199,60.249.33.89,60.250.103.199,60.250.104.222,60.250.110.71,60.250.123.141,60.250.226.228,60.250.39.77,60.250.42.98,60.250.63.247,60.250.63.28,60.250.74.106,60.250.80.199,60.250.83.49,60.250.91.119,60.251.111.30,60.251.128.64,60.251.131.75,60.251.132.64,60.251.133.227,60.251.140.163,60.251.177.125,60.251.178.215,60.251.183.72,60.251.189.212,60.251.191.30,60.251.195.29,60.251.199.162,60.251.224.66,60.251.231.140,60.251.234.242,60.251.52.18,60.251.56.108,60.251.69.73,60.28.195.124,60.28.236.70,60.28.29.62,60.29.227.163] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 53"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403352; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [60.29.64.177,60.30.73.11,60.31.193.20,60.31.193.26,60.36.230.45,60.45.70.251,60.5.189.21,60.52.51.172,60.55.32.67,60.6.217.185,60.6.255.172,60.6.255.61,60.8.216.98,61.0.240.82,61.100.5.224,61.105.167.11,61.111.18.92,61.111.52.145,61.115.122.177,61.120.152.11,61.12.7.213,61.12.7.249,61.125.77.137,61.128.161.154,61.130.68.206,61.131.121.95,61.131.20.133,61.131.207.66,61.132.110.126,61.132.89.150,61.133.215.237,61.134.136.105,61.136.144.163,61.137.151.135,61.139.151.187,61.139.77.172,61.142.209.58,61.142.75.66,61.143.160.151,61.143.160.233,61.145.119.144,61.145.119.239,61.145.126.80,61.146.115.82,61.146.199.186,61.147.113.98,61.147.115.131,61.147.124.227,61.147.204.34,61.147.67.187] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 54"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403353; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [61.147.96.93,61.148.115.214,61.148.203.174,61.148.28.118,61.148.52.82,61.149.205.254,61.149.85.74,61.153.106.4,61.153.111.146,61.153.237.54,61.153.77.182,61.154.104.204,61.155.41.34,61.155.41.53,61.155.60.98,61.156.118.26,61.156.8.64,61.157.91.111,61.157.97.84,61.158.131.170,61.158.167.184,61.158.170.180,61.160.194.149,61.160.200.58,61.160.208.245,61.160.213.51,61.160.213.82,61.160.221.101,61.160.222.118,61.160.222.148,61.160.222.211,61.160.234.141,61.160.245.152,61.160.245.6,61.160.245.66,61.160.249.209,61.160.93.163,61.161.139.75,61.161.143.163,61.161.155.100,61.161.155.102,61.161.214.3,61.161.249.121,61.163.138.147,61.163.165.101,61.163.26.118,61.164.154.60,61.164.37.178,61.164.80.250,61.164.96.122] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 55"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403354; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [61.164.96.158,61.164.96.174,61.164.96.182,61.164.96.82,61.164.97.34,61.164.97.74,61.166.122.131,61.167.105.102,61.167.209.86,61.174.20.38,61.174.208.10,61.174.50.171,61.175.101.165,61.175.101.166,61.175.232.138,61.176.222.165,61.176.222.170,61.177.142.200,61.177.46.251,61.177.77.134,61.178.103.148,61.178.129.118,61.178.129.122,61.178.129.151,61.178.15.32,61.178.18.189,61.178.18.191,61.178.186.169,61.178.243.203,61.178.29.225,61.178.29.50,61.178.30.220,61.178.91.152,61.181.81.107,61.183.159.66,61.183.9.17,61.184.186.174,61.184.190.221,61.184.196.166,61.184.247.6,61.186.131.238,61.186.172.189,61.189.36.123,61.19.25.246,61.19.30.156,61.19.30.77,61.19.64.9,61.19.80.158,61.19.86.211,61.191.149.247] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 56"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403355; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [61.191.200.67,61.191.56.153,61.193.84.37,61.216.10.232,61.216.11.48,61.216.138.156,61.216.151.210,61.216.152.45,61.216.164.89,61.216.167.13,61.216.170.226,61.216.174.137,61.216.25.173,61.216.29.204,61.216.34.48,61.216.36.171,61.216.40.209,61.216.45.43,61.216.52.156,61.216.57.102,61.216.66.119,61.216.69.33,61.216.71.26,61.216.73.46,61.216.84.248,61.216.88.194,61.216.91.164,61.218.112.163,61.218.134.110,61.218.134.112,61.218.181.71,61.218.20.70,61.218.20.71,61.218.20.73,61.219.11.141,61.219.11.151,61.219.120.250,61.219.153.7,61.219.191.178,61.219.238.214,61.219.249.143,61.219.57.99,61.219.77.122,61.220.179.201,61.220.196.16,61.220.204.182,61.220.205.182,61.220.221.170,61.220.24.105,61.220.251.176] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 57"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403356; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [61.220.60.225,61.220.60.246,61.221.228.20,61.221.42.147,61.221.42.18,61.222.210.198,61.222.236.162,61.222.32.155,61.222.93.66,61.222.93.67,61.222.93.79,61.222.93.94,61.223.152.60,61.230.11.238,61.235.102.229,61.235.24.36,61.236.237.82,61.237.224.79,61.239.249.170,61.250.94.3,61.254.179.201,61.254.59.237,61.26.89.62,61.34.89.234,61.35.92.8,61.42.166.232,61.50.110.62,61.50.114.74,61.50.125.58,61.50.133.42,61.50.148.174,61.5.131.18,61.5.158.109,61.51.81.174,61.55.135.151,61.55.139.16,61.55.139.33,61.55.139.6,61.55.140.231,61.55.142.81,61.55.142.82,61.55.142.83,61.55.159.151,61.55.164.46,61.56.175.204,61.60.177.116,61.60.177.140,61.60.183.130,61.6.206.57,61.62.44.200] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 58"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403357; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [61.63.181.37,61.63.186.179,61.64.14.195,61.64.28.68,61.65.42.92,61.69.198.134,61.73.182.233,61.74.153.52,61.74.37.155,61.78.107.30,61.78.193.81,61.78.205.177,61.80.27.205,61.80.27.216,61.8.158.119,61.82.47.86,61.84.206.110,61.90.140.90,61.93.201.186,61.93.52.126,61.97.242.130,61.97.55.131,62.0.72.247,62.1.178.184,62.103.73.159,62.105.16.26,62.12.113.126,62.121.61.44,62.121.65.200,62.128.195.39,62.133.173.180,62.14.232.243,62.141.35.227,62.141.42.32,62.148.226.185,62.150.72.253,62.152.3.239,62.152.5.50,62.165.217.165,62.165.46.210,62.168.122.92,62.168.143.78,62.173.138.105,62.173.139.194,62.182.29.126,62.193.88.236,62.194.191.69,62.197.64.44,62.201.228.138,62.210.131.49] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 59"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403358; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [62.210.138.217,62.210.172.58,62.210.180.206,62.210.29.135,62.210.77.158,62.210.86.101,62.212.230.38,62.212.9.14,62.213.115.242,62.215.135.35,62.219.128.90,62.219.155.114,62.219.164.170,62.219.164.172,62.219.164.174,62.219.17.189,62.219.226.248,62.219.235.23,62.219.7.25,62.219.7.26,62.219.7.27,62.219.7.34,62.219.7.54,62.221.157.19,62.227.183.17,62.27.48.86,62.28.187.42,62.31.86.177,62.43.152.233,62.47.155.184,62.63.213.28,62.63.229.63,62.63.237.141,62.64.80.170,62.69.129.162,62.69.130.152,62.73.115.98,62.76.146.19,62.84.86.220,62.90.102.25,62.90.102.9,62.94.49.73,62.97.173.20,63.131.133.169,63.140.23.103,63.141.227.170,63.141.240.26,63.141.245.234,63.141.248.50,63.142.101.182] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 60"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403359; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [63.143.113.42,63.143.34.150,63.143.46.174,63.143.58.54,63.208.120.215,63.209.33.197,63.209.33.27,63.217.66.222,63.252.131.244,63.252.132.12,64.113.113.158,64.140.146.2,64.17.20.2,64.180.224.157,64.183.78.125,64.185.231.16,64.20.62.59,64.209.31.5,64.32.12.242,64.34.161.111,64.60.43.34,64.60.43.45,64.66.237.178,64.68.225.181,64.68.229.158,64.68.234.104,64.68.234.184,64.68.235.254,64.68.237.119,64.68.237.135,64.68.239.42,64.68.240.252,64.68.250.141,64.79.76.70,64.89.15.113,64.90.29.187,64.91.76.97,64.98.243.66,65.102.121.26,65.153.227.4,65.166.97.6,65.189.1.108,65.202.71.73,65.23.153.6,65.242.101.253,65.25.84.221,65.29.235.146,65.36.175.18,65.36.60.76,65.36.74.159] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 61"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403360; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [65.39.231.166,65.48.170.90,65.50.252.27,65.52.215.133,65.68.82.103,65.74.137.193,65.74.143.234,65.99.188.144,65.99.188.152,66.102.213.66,66.109.29.6,66.110.120.2,66.110.191.66,66.112.109.52,66.117.6.206,66.117.8.162,66.158.213.34,66.158.62.1,66.168.88.53,66.172.112.107,66.18.54.164,66.196.1.130,66.211.102.180,66.212.30.210,66.214.125.12,66.214.40.126,66.219.100.39,66.219.102.117,66.222.44.75,66.23.230.61,66.232.145.232,66.240.192.138,66.240.192.189,66.240.205.34,66.240.219.146,66.240.236.119,66.248.190.56,66.26.177.54,66.42.104.104,66.42.49.77,66.42.61.197,66.45.242.194,66.61.16.98,66.70.250.106,66.76.1.222,66.79.163.190,66.79.174.103,66.79.176.236,66.79.179.203,66.79.181.138] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 62"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403361; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [66.79.181.155,66.79.181.184,66.85.6.146,66.85.6.190,66.85.77.146,66.96.218.218,66.98.62.212,67.148.176.77,67.171.12.139,67.183.155.143,67.198.128.242,67.198.156.9,67.198.170.13,67.198.180.34,67.21.78.98,67.212.155.222,67.213.74.121,67.229.134.102,67.229.135.106,67.229.135.50,67.229.151.186,67.229.154.154,67.229.156.222,67.229.161.130,67.229.161.70,67.229.163.178,67.229.24.194,67.229.77.74,67.229.98.26,67.229.99.150,67.245.53.247,67.247.18.173,67.251.134.26,67.43.97.242,67.55.200.84,67.69.18.51,67.71.193.222,67.78.247.82,67.79.14.26,67.82.155.56,67.83.49.234,68.101.190.238,68.110.127.120,68.13.49.60,68.132.240.49,68.143.253.79,68.149.124.186,68.170.153.33,68.175.40.160,68.183.109.133] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 63"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403362; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [68.183.183.70,68.183.209.191,68.183.213.214,68.183.214.4,68.183.65.131,68.183.78.143,68.183.98.123,68.184.10.134,68.184.36.69,68.208.23.246,68.232.48.10,68.255.154.241,68.5.172.107,68.55.106.197,68.56.25.182,68.70.208.167,68.70.213.34,68.70.216.208,68.70.217.7,68.70.218.150,68.71.162.43,68.82.230.36,68.84.106.59,69.10.47.176,69.10.48.147,69.11.66.48,69.117.243.209,69.12.127.194,69.121.132.148,69.125.220.185,69.129.193.239,69.135.170.39,69.142.92.100,69.143.125.75,69.145.123.14,69.147.146.194,69.156.22.216,69.162.124.110,69.162.86.250,69.162.87.26,69.165.173.49,69.166.8.146,69.167.162.94,69.167.49.69,69.17.141.18,69.172.195.113,69.172.87.108,69.172.87.109,69.172.87.65,69.195.129.242] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 64"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403363; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [69.195.135.74,69.195.136.38,69.195.136.39,69.197.138.106,69.197.154.2,69.198.106.163,69.20.189.131,69.204.239.25,69.21.98.84,69.246.89.249,69.248.70.29,69.253.19.219,69.30.234.2,69.38.138.60,69.42.66.94,69.42.81.68,69.46.128.54,69.46.134.200,69.46.37.156,69.56.188.86,69.59.84.76,69.73.53.18,69.84.112.37,70.102.219.76,70.120.180.176,70.15.157.147,70.160.217.219,70.164.0.248,70.164.101.108,70.167.156.254,70.169.19.114,70.169.227.155,70.175.224.69,70.182.140.153,70.182.176.155,70.182.177.86,70.186.94.11,70.187.69.34,70.31.128.63,70.33.206.130,70.33.248.171,70.39.107.130,70.39.117.34,70.39.126.66,70.44.44.10,70.45.11.102,70.56.138.41,70.60.105.138,70.65.254.206,70.75.123.35] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 65"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403364; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [70.90.127.158,70.91.60.25,70.96.222.166,70.96.223.198,71.14.237.124,71.14.255.251,71.187.64.165,71.193.133.77,71.194.95.19,71.202.241.115,71.229.24.115,71.41.123.210,71.42.101.242,71.42.105.34,71.42.105.41,71.42.172.43,71.42.172.44,71.42.226.210,71.42.23.141,71.42.43.54,71.6.135.131,71.6.142.80,71.6.142.81,71.6.142.87,71.6.146.130,71.6.146.185,71.6.146.186,71.6.158.166,71.6.165.200,71.6.167.142,71.6.199.23,71.6.232.2,71.6.232.4,71.6.232.5,71.6.233.10,71.6.233.11,71.6.233.12,71.6.233.13,71.6.233.130,71.6.233.131,71.6.233.132,71.6.233.133,71.6.233.134,71.6.233.135,71.6.233.136,71.6.233.137,71.6.233.138,71.6.233.139,71.6.233.14,71.6.233.140] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 66"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403365; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [71.6.233.141,71.6.233.142,71.6.233.143,71.6.233.144,71.6.233.145,71.6.233.146,71.6.233.147,71.6.233.148,71.6.233.149,71.6.233.15,71.6.233.150,71.6.233.151,71.6.233.152,71.6.233.153,71.6.233.154,71.6.233.155,71.6.233.156,71.6.233.157,71.6.233.158,71.6.233.159,71.6.233.16,71.6.233.160,71.6.233.17,71.6.233.18,71.6.233.19,71.6.233.20,71.6.233.21,71.6.233.22,71.6.233.23,71.6.233.24,71.6.233.25,71.6.233.26,71.6.233.27,71.6.233.28,71.6.233.29,71.6.233.3,71.6.233.30,71.6.233.31,71.6.233.32,71.6.233.33,71.6.233.4,71.6.233.5,71.6.233.6,71.6.233.7,71.6.233.8,71.6.233.9,71.68.242.50,71.8.35.110,71.89.52.3,71.9.96.59] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 67"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403366; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [71.93.100.191,71.94.49.233,72.151.142.147,72.174.9.78,72.184.83.5,72.186.249.167,72.189.106.55,72.20.91.172,72.203.112.187,72.218.226.85,72.239.129.113,72.239.23.95,72.249.213.164,72.249.215.222,72.249.232.226,72.249.56.8,72.252.200.204,72.252.247.85,72.255.21.246,72.26.224.226,72.27.170.142,72.31.18.230,72.34.71.66,72.37.141.162,72.86.50.252,72.90.235.219,72.95.129.173,73.104.184.47,73.121.31.141,73.125.109.117,73.139.225.107,73.140.215.138,73.141.117.34,73.144.158.181,73.162.116.70,73.163.148.213,73.170.111.208,73.170.169.71,73.20.107.242,73.201.70.11,73.231.57.149,73.233.25.26,73.255.13.57,73.255.99.152,73.26.59.118,73.28.142.198,73.42.75.59,73.47.219.102,73.5.198.129,73.62.153.164] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 68"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403367; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [73.70.165.134,73.73.103.151,73.95.233.30,74.114.101.139,74.114.149.12,74.114.149.247,74.12.115.4,74.131.136.167,74.139.240.244,74.196.168.224,74.196.193.249,74.199.78.151,74.202.105.141,74.202.105.153,74.202.47.20,74.222.20.170,74.50.39.169,74.64.167.172,74.64.82.61,74.66.209.159,74.71.26.157,74.81.134.90,74.81.99.73,74.89.43.168,74.91.22.122,74.95.138.121,75.109.179.64,75.115.135.167,75.127.217.165,75.139.59.114,75.148.188.233,75.150.33.81,75.156.28.210,75.176.62.181,75.177.79.0,75.188.192.220,75.189.235.162,75.22.143.243,75.77.36.18,75.83.227.197,75.98.87.95,75.98.87.97,76.10.133.217,76.107.175.179,76.108.177.241,76.119.19.184,76.164.192.66,76.167.188.199,76.174.7.219,76.177.133.16] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 69"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403368; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [76.177.204.176,76.181.198.219,76.185.21.2,76.218.193.178,76.237.136.75,76.25.2.96,76.31.20.125,76.65.112.201,76.72.163.156,76.81.242.230,77.103.213.110,77.103.24.117,77.104.69.243,77.104.97.225,77.107.108.98,77.107.174.237,77.107.41.186,77.107.41.199,77.107.41.216,77.108.207.172,77.110.4.27,77.119.234.57,77.120.30.147,77.120.85.106,77.120.99.6,77.121.93.144,77.123.227.250,77.127.93.192,77.151.235.18,77.158.164.115,77.166.38.75,77.174.117.30,77.194.55.113,77.20.210.88,77.20.221.53,77.20.223.212,77.201.198.68,77.211.16.26,77.211.23.60,77.216.107.11,77.217.90.24,77.218.254.119,77.220.75.157,77.221.215.50,77.228.178.4,77.228.229.214,77.235.21.150,77.240.172.86,77.240.186.62,77.240.70.186] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 70"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403369; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [77.240.85.14,77.243.93.123,77.245.109.164,77.245.179.20,77.245.98.238,77.246.228.92,77.247.145.118,77.247.249.5,77.31.92.123,77.34.101.28,77.34.132.170,77.34.190.248,77.35.50.45,77.37.136.40,77.37.145.41,77.37.145.91,77.37.154.91,77.37.168.29,77.37.174.217,77.37.185.26,77.37.198.74,77.37.203.13,77.37.221.3,77.37.226.163,77.37.229.185,77.37.238.220,77.37.243.19,77.37.245.210,77.37.249.9,77.38.161.187,77.40.243.75,77.47.68.9,77.50.52.114,77.52.146.224,77.53.183.50,77.53.219.163,77.53.219.81,77.53.247.42,77.65.37.178,77.68.215.172,77.70.21.18,77.72.120.226,77.72.82.19,77.72.82.23,77.72.83.181,77.72.85.117,77.72.85.18,77.72.85.26,77.72.85.27,77.72.85.8] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 71"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403370; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [77.73.54.140,77.76.181.174,77.87.35.29,77.89.202.194,77.93.26.226,77.95.1.42,78.100.70.190,78.106.112.22,78.106.27.17,78.107.250.204,78.108.177.50,78.108.177.51,78.108.177.52,78.108.177.53,78.108.177.54,78.109.234.53,78.128.112.10,78.128.112.26,78.128.112.38,78.128.112.46,78.128.112.54,78.128.112.62,78.128.112.94,78.128.112.98,78.128.60.137,78.128.80.186,78.129.131.154,78.129.204.101,78.129.225.103,78.130.148.98,78.130.210.40,78.137.197.8,78.140.164.87,78.140.206.38,78.141.94.11,78.142.9.161,78.152.161.163,78.154.53.197,78.157.225.29,78.157.49.103,78.158.142.247,78.159.56.217,78.180.150.203,78.186.153.197,78.186.224.164,78.186.39.84,78.186.49.7,78.186.65.45,78.187.139.112,78.187.145.191] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 72"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403371; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [78.187.159.164,78.188.200.132,78.188.34.6,78.188.54.174,78.189.109.231,78.189.125.151,78.189.149.115,78.189.215.37,78.189.53.94,78.192.1.117,78.195.178.119,78.196.118.157,78.197.112.5,78.198.69.64,78.204.123.164,78.205.42.32,78.209.166.42,78.210.109.21,78.210.164.140,78.21.42.89,78.211.128.54,78.219.196.85,78.221.115.22,78.221.180.123,78.221.188.140,78.221.196.148,78.228.3.3,78.237.19.53,78.29.93.30,78.30.247.150,78.36.19.160,78.38.114.203,78.38.116.154,78.38.80.243,78.38.80.245,78.38.80.246,78.38.81.62,78.38.93.8,78.41.92.45,78.63.192.30,78.66.176.12,78.68.121.19,78.68.121.240,78.72.103.191,78.72.106.148,78.72.168.136,78.73.67.216,78.83.27.112,78.83.84.60,78.84.129.98] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 73"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403372; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [78.85.189.93,78.90.160.186,78.93.249.132,78.94.14.122,78.96.32.107,78.96.32.178,78.97.35.143,78.99.39.44,79.1.102.184,79.106.48.54,79.107.198.32,79.107.210.190,79.107.218.103,79.109.36.83,79.110.159.35,79.110.159.56,79.110.159.63,79.110.159.88,79.115.53.173,79.124.56.130,79.124.61.13,79.125.180.146,79.127.102.220,79.134.7.198,79.136.43.133,79.137.111.154,79.138.8.235,79.143.180.170,79.156.162.206,79.164.17.128,79.166.140.161,79.170.191.139,79.173.248.128,79.174.33.125,79.174.38.172,79.18.70.77,79.187.25.58,79.210.106.217,79.250.174.198,79.36.239.162,79.40.149.167,79.43.57.108,79.43.63.157,79.49.217.58,79.51.100.119,79.58.203.97,79.60.230.61,79.61.25.156,79.8.58.16,79.93.220.195] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 74"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403373; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [80.11.226.121,80.11.47.135,80.11.87.2,80.114.195.168,80.116.113.114,80.12.85.13,80.13.228.2,80.13.237.244,80.149.253.38,80.15.161.173,80.15.181.83,80.151.53.44,80.170.70.147,80.178.145.8,80.188.51.202,80.190.174.16,80.191.209.85,80.2.34.69,80.211.104.51,80.211.114.24,80.211.114.27,80.211.139.182,80.211.147.147,80.211.177.43,80.211.185.78,80.211.191.116,80.211.233.155,80.211.240.234,80.211.244.92,80.211.246.121,80.211.249.109,80.211.35.21,80.211.40.235,80.211.63.37,80.211.7.178,80.211.82.251,80.216.144.23,80.217.150.8,80.219.233.222,80.221.153.61,80.227.122.90,80.229.218.225,80.233.148.189,80.234.108.5,80.237.93.19,80.238.134.13,80.241.45.19,80.251.49.42,80.254.123.48,80.28.247.179] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 75"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403374; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [80.32.190.147,80.38.198.179,80.44.211.83,80.52.184.141,80.65.164.218,80.71.255.124,80.74.227.11,80.76.107.108,80.80.214.114,80.82.60.14,80.82.67.117,80.82.70.137,80.82.77.139,80.82.77.33,80.82.82.12,80.90.82.98,80.93.210.82,80.98.240.12,81.0.72.246,81.10.94.244,81.16.11.200,81.16.8.45,81.162.194.18,81.164.119.23,81.165.184.121,81.165.252.145,81.169.213.74,81.170.131.21,81.170.140.140,81.17.65.85,81.174.40.74,81.175.86.200,81.175.86.214,81.177.142.149,81.177.218.37,81.18.77.6,81.190.122.33,81.199.48.227,81.20.152.8,81.21.81.86,81.213.125.209,81.213.143.21,81.213.144.74,81.214.120.22,81.214.134.158,81.214.187.162,81.214.39.152,81.214.50.147,81.215.193.212,81.218.100.125] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 76"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403375; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [81.218.131.137,81.218.139.236,81.218.141.105,81.218.163.95,81.218.176.146,81.218.185.216,81.218.78.30,81.22.17.251,81.224.146.40,81.225.90.120,81.226.100.101,81.230.150.141,81.230.157.230,81.230.175.129,81.230.96.43,81.230.98.67,81.231.159.232,81.231.42.138,81.234.207.211,81.24.94.68,81.248.60.236,81.248.78.45,81.250.128.191,81.250.232.244,81.26.245.206,81.27.38.156,81.5.72.221,81.53.155.68,81.7.10.242,81.82.52.68,81.94.250.133,81.95.231.225,82.102.13.214,82.102.158.84,82.102.173.69,82.102.188.199,82.103.134.122,82.113.153.150,82.113.72.190,82.114.241.41,82.114.246.178,82.114.91.170,82.117.205.146,82.117.235.56,82.117.246.31,82.118.164.20,82.118.170.148,82.127.195.10,82.127.209.173,82.127.211.95] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 77"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403376; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [82.143.92.162,82.144.74.211,82.164.120.151,82.166.238.170,82.169.88.20,82.177.231.99,82.178.121.231,82.178.162.196,82.185.148.186,82.192.237.239,82.193.125.100,82.193.135.136,82.196.123.86,82.197.241.45,82.200.16.74,82.200.180.122,82.200.191.122,82.200.199.198,82.200.208.6,82.200.247.230,82.201.134.186,82.202.133.34,82.202.197.196,82.202.197.211,82.202.197.216,82.202.209.155,82.208.186.154,82.208.188.118,82.209.219.193,82.209.231.55,82.209.250.231,82.209.65.103,82.209.67.57,82.21.218.36,82.212.125.12,82.213.236.190,82.214.44.252,82.218.173.178,82.218.207.203,82.221.105.6,82.221.105.7,82.222.59.107,82.232.89.194,82.236.96.139,82.245.177.183,82.245.4.251,82.29.166.38,82.37.242.188,82.38.114.119,82.45.209.37] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 78"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403377; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [82.47.156.228,82.62.192.189,82.64.25.207,82.64.3.51,82.77.146.164,82.77.47.238,82.78.201.172,82.78.52.173,82.80.61.215,82.81.67.188,82.81.69.65,82.81.89.201,83.110.237.34,83.110.249.72,83.110.251.72,83.136.116.162,83.137.48.114,83.143.246.30,83.146.71.46,83.147.104.215,83.148.67.31,83.150.63.161,83.151.224.177,83.151.235.75,83.166.161.91,83.167.125.213,83.171.120.88,83.172.22.200,83.174.242.166,83.178.12.230,83.179.216.149,83.180.69.51,83.183.132.109,83.184.21.89,83.191.186.59,83.191.187.14,83.209.10.164,83.209.106.244,83.209.157.211,83.209.163.204,83.209.177.162,83.209.217.145,83.209.247.117,83.209.247.37,83.209.247.53,83.209.248.201,83.209.249.33,83.209.250.91,83.209.251.205,83.209.255.221] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 79"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403378; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [83.209.45.146,83.209.6.9,83.219.202.132,83.220.89.185,83.233.197.93,83.233.68.203,83.233.68.52,83.233.69.7,83.234.175.201,83.234.96.38,83.242.177.139,83.243.75.214,83.248.121.94,83.248.179.174,83.249.124.148,83.249.124.174,83.249.124.218,83.249.125.115,83.249.220.51,83.249.90.114,83.249.90.155,83.251.140.121,83.252.9.204,83.252.9.5,83.253.82.214,83.254.148.180,83.254.149.242,83.254.225.156,83.40.236.132,83.42.20.228,83.68.240.132,83.68.240.134,83.68.244.51,83.68.254.136,83.77.7.139,83.96.65.209,84.1.175.227,84.101.59.6,84.118.33.123,84.121.49.141,84.147.133.156,84.16.143.237,84.183.170.178,84.193.181.150,84.193.42.115,84.194.200.26,84.195.17.232,84.196.47.35,84.2.39.135,84.221.67.146] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 80"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403379; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [84.223.126.73,84.223.234.82,84.228.30.198,84.228.38.61,84.232.235.0,84.234.96.139,84.236.121.78,84.236.165.200,84.236.179.195,84.236.37.92,84.237.181.194,84.237.230.18,84.237.232.205,84.238.186.254,84.238.34.227,84.238.34.59,84.24.99.47,84.243.8.156,84.245.108.233,84.246.145.22,84.36.72.242,84.41.86.135,84.51.29.123,84.51.52.111,84.53.218.108,84.62.12.223,84.90.51.203,84.95.58.30,85.100.169.238,85.104.119.194,85.104.2.218,85.105.211.245,85.105.232.217,85.105.32.84,85.105.61.130,85.105.69.101,85.11.48.222,85.11.48.92,85.111.3.40,85.112.177.161,85.112.178.103,85.112.43.182,85.113.184.188,85.130.108.64,85.132.78.94,85.134.34.90,85.136.1.172,85.143.139.2,85.145.109.0,85.15.190.102] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 81"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403380; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [85.15.80.28,85.154.185.112,85.159.0.159,85.159.66.239,85.159.66.99,85.166.2.187,85.174.84.86,85.175.134.121,85.175.5.120,85.175.73.137,85.184.179.206,85.185.232.133,85.187.165.11,85.191.68.61,85.195.72.45,85.195.95.62,85.203.128.172,85.203.142.102,85.204.139.45,85.204.46.220,85.221.32.239,85.222.98.226,85.226.34.203,85.227.196.156,85.228.10.73,85.228.217.21,85.229.18.221,85.234.127.212,85.234.35.199,85.234.36.11,85.234.37.139,85.234.38.81,85.24.143.177,85.24.185.163,85.243.61.172,85.26.107.202,85.29.137.83,85.30.181.40,85.37.19.205,85.53.36.113,85.72.39.169,85.8.27.151,85.8.38.82,85.8.51.102,85.85.233.94,85.91.96.162,85.92.152.5,85.92.158.173,85.93.20.249,85.93.20.62] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 82"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403381; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [85.94.95.254,85.95.183.202,85.96.183.83,85.96.190.71,85.96.192.75,85.97.191.16,85.98.12.15,86.101.40.167,86.104.231.106,86.104.73.74,86.106.201.120,86.109.49.132,86.122.208.203,86.122.48.204,86.134.72.7,86.172.180.149,86.178.196.99,86.180.195.198,86.243.248.202,86.247.193.147,86.252.3.124,86.34.30.105,86.34.51.55,86.34.77.140,86.35.35.154,86.51.185.118,86.57.226.8,86.57.239.170,86.59.149.24,86.62.93.117,86.75.97.194,86.81.224.25,86.96.156.156,86.96.206.198,87.100.173.87,87.101.123.51,87.101.151.189,87.103.134.71,87.103.135.245,87.106.184.57,87.106.29.44,87.107.78.59,87.11.138.24,87.112.166.174,87.117.52.70,87.118.36.84,87.118.38.247,87.118.58.185,87.118.58.254,87.121.156.30] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 83"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403382; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [87.132.81.255,87.138.165.115,87.155.218.242,87.198.120.49,87.21.158.104,87.214.88.194,87.224.138.249,87.225.21.182,87.229.182.106,87.229.20.112,87.236.95.55,87.237.237.179,87.240.52.101,87.240.57.11,87.241.104.111,87.241.105.57,87.241.106.125,87.241.106.15,87.241.106.231,87.241.138.200,87.244.44.218,87.248.20.71,87.248.64.230,87.249.4.2,87.251.81.86,87.252.62.93,87.252.99.98,87.253.10.142,87.253.87.3,87.255.211.17,87.27.157.136,87.27.157.88,87.27.31.41,87.27.84.84,87.60.66.188,87.61.232.98,87.64.139.220,87.67.28.62,87.76.12.133,87.76.13.204,87.8.203.63,87.96.130.90,87.96.136.3,87.96.146.111,87.97.219.130,88.124.237.228,88.126.60.184,88.127.172.14,88.129.208.35,88.129.208.43] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 84"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403383; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [88.129.208.44,88.129.208.46,88.129.22.250,88.129.22.37,88.129.235.252,88.129.68.64,88.129.75.151,88.135.37.22,88.135.37.90,88.146.202.213,88.147.153.155,88.148.44.183,88.149.181.240,88.158.222.42,88.165.199.158,88.165.63.5,88.168.115.1,88.171.242.69,88.173.19.214,88.174.4.30,88.184.210.122,88.188.204.35,88.190.183.18,88.198.32.77,88.199.102.36,88.200.167.79,88.2.155.142,88.202.190.132,88.202.190.133,88.202.190.134,88.202.190.135,88.202.190.136,88.202.190.137,88.202.190.138,88.202.190.139,88.202.190.140,88.202.190.141,88.202.190.142,88.202.190.143,88.202.190.144,88.202.190.145,88.202.190.146,88.202.190.147,88.202.190.148,88.202.190.149,88.202.190.150,88.202.190.151,88.202.190.152,88.202.190.153,88.202.190.154] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 85"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403384; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [88.202.190.155,88.202.190.156,88.202.190.157,88.202.190.158,88.202.70.114,88.204.242.54,88.205.170.90,88.206.10.30,88.209.82.74,88.225.231.180,88.23.48.222,88.231.25.195,88.241.128.77,88.242.133.211,88.246.13.159,88.247.130.164,88.247.134.52,88.247.159.108,88.247.222.92,88.247.249.132,88.247.60.215,88.248.138.74,88.248.61.11,88.249.122.116,88.249.180.191,88.250.137.194,88.250.200.251,88.250.237.120,88.250.46.143,88.255.138.75,88.255.251.147,88.26.254.242,88.5.89.70,88.64.148.38,88.80.189.160,88.82.167.105,88.87.207.27,88.9.205.24,89.100.89.76,89.102.156.70,89.102.4.154,89.104.109.70,89.106.101.139,89.106.111.58,89.107.36.160,89.109.54.211,89.120.28.84,89.120.68.83,89.122.77.108,89.131.186.247] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 86"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403385; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [89.133.150.4,89.153.84.228,89.155.76.16,89.158.114.85,89.158.72.249,89.160.56.65,89.163.206.236,89.163.222.76,89.164.117.212,89.165.10.0,89.165.57.126,89.169.215.232,89.176.148.96,89.176.68.16,89.178.228.248,89.185.228.251,89.186.29.31,89.187.64.139,89.189.172.201,89.189.5.210,89.190.209.225,89.19.99.89,89.191.9.132,89.20.36.2,89.211.227.172,89.211.253.130,89.212.171.110,89.212.216.99,89.212.73.27,89.216.56.67,89.218.13.203,89.218.151.166,89.218.155.75,89.218.2.109,89.218.233.226,89.22.110.218,89.221.89.236,89.230.11.253,89.232.34.116,89.232.74.42,89.233.219.110,89.233.219.121,89.233.219.153,89.233.219.172,89.233.219.180,89.233.219.37,89.233.219.46,89.233.219.65,89.233.219.72,89.233.219.93] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 87"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403386; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [89.233.219.94,89.235.5.125,89.238.139.54,89.239.163.136,89.239.73.139,89.248.110.13,89.248.115.120,89.248.160.199,89.248.162.164,89.248.167.131,89.248.172.16,89.248.174.3,89.249.1.170,89.250.166.71,89.28.131.154,89.29.122.108,89.35.39.153,89.35.39.78,89.35.47.112,89.41.173.146,89.41.173.154,89.41.173.169,89.41.173.208,89.41.173.211,89.42.210.119,89.43.30.234,89.43.67.45,89.90.163.13,90.100.70.108,90.10.243.218,90.105.151.181,90.12.219.46,90.125.195.217,90.126.82.15,90.139.132.50,90.142.35.231,90.142.38.102,90.142.44.5,90.144.182.169,90.145.66.43,90.146.49.150,90.150.172.227,90.150.201.238,90.150.201.90,90.150.203.229,90.150.203.245,90.150.206.76,90.150.21.51,90.150.240.150,90.150.243.228] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 88"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403387; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [90.150.246.223,90.150.246.62,90.150.248.232,90.150.248.93,90.150.249.48,90.150.251.152,90.150.253.162,90.150.255.207,90.150.255.5,90.150.90.182,90.151.148.17,90.151.151.34,90.151.200.1,90.151.200.52,90.151.200.57,90.151.201.11,90.151.201.141,90.151.201.217,90.151.202.173,90.151.202.212,90.151.202.48,90.151.203.78,90.151.204.251,90.151.204.254,90.151.204.44,90.151.204.90,90.151.205.187,90.151.205.189,90.151.207.132,90.151.59.199,90.151.80.144,90.151.80.150,90.151.80.19,90.151.80.218,90.151.80.25,90.151.81.169,90.151.81.64,90.151.82.123,90.151.82.201,90.151.82.34,90.151.83.202,90.151.83.242,90.151.84.27,90.151.84.44,90.151.85.10,90.151.85.118,90.151.85.199,90.151.85.230,90.151.85.242,90.151.86.108] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 89"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403388; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [90.151.87.144,90.151.87.194,90.151.88.168,90.151.88.199,90.151.88.227,90.151.88.35,90.151.88.63,90.151.90.129,90.151.90.164,90.151.90.220,90.151.91.169,90.151.91.184,90.151.91.24,90.151.91.246,90.151.91.41,90.151.91.55,90.151.91.60,90.151.93.43,90.151.93.49,90.151.93.60,90.151.94.200,90.151.94.39,90.151.95.51,90.154.198.35,90.154.79.59,90.154.80.135,90.154.81.43,90.154.84.251,90.154.89.60,90.154.91.184,90.154.95.23,90.157.44.30,90.157.67.15,90.178.194.142,90.181.236.75,90.188.9.35,90.189.151.104,90.224.194.245,90.224.194.247,90.224.222.79,90.226.217.56,90.227.79.94,90.231.152.18,90.236.192.94,90.76.157.181,90.77.78.218,90.79.192.30,90.87.88.48,90.91.179.178,90.92.201.13] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 90"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403389; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [90.92.71.55,91.103.25.202,91.103.29.204,91.105.147.193,91.109.13.124,91.109.3.15,91.113.119.233,91.121.103.154,91.121.161.124,91.121.79.40,91.123.200.125,91.125.0.165,91.126.206.60,91.126.212.249,91.13.209.56,91.131.204.190,91.134.185.81,91.134.185.85,91.134.185.87,91.134.185.88,91.134.185.91,91.134.185.93,91.134.185.94,91.135.194.178,91.136.49.23,91.143.53.216,91.143.63.229,91.144.135.214,91.146.105.192,91.154.138.122,91.162.239.200,91.177.116.229,91.179.55.136,91.185.41.22,91.185.69.93,91.188.188.201,91.189.121.90,91.189.184.138,91.189.184.162,91.189.185.42,91.193.78.98,91.194.206.143,91.194.250.222,91.195.99.114,91.196.94.148,91.197.174.16,91.200.126.90,91.206.19.213,91.207.175.154,91.211.46.107] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 91"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403390; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [91.213.175.109,91.213.46.35,91.213.46.55,91.213.46.80,91.214.235.103,91.214.71.119,91.214.86.197,91.218.212.187,91.219.156.163,91.219.202.2,91.221.244.9,91.221.57.77,91.222.25.140,91.223.175.50,91.223.180.183,91.224.204.214,91.225.79.162,91.225.9.113,91.226.140.115,91.227.28.120,91.227.2.9,91.230.136.217,91.231.165.126,91.231.219.132,91.232.48.29,91.233.90.57,91.235.116.78,91.235.69.95,91.236.24.29,91.237.253.78,91.237.94.7,91.238.248.20,91.238.25.62,91.250.22.133,91.250.47.173,91.56.235.238,91.72.220.120,91.80.137.167,91.89.176.206,91.92.186.2,91.93.164.13,91.93.3.238,91.93.56.11,91.98.88.151,92.0.67.134,92.11.11.134,92.114.194.160,92.124.136.233,92.124.144.248,92.154.29.202] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 92"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403391; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [92.154.66.94,92.186.61.89,92.211.222.0,92.220.120.137,92.222.156.251,92.222.181.237,92.237.35.142,92.238.51.136,92.241.87.126,92.242.109.38,92.242.122.162,92.244.152.241,92.244.36.74,92.246.76.27,92.246.76.47,92.246.76.61,92.252.189.41,92.253.176.129,92.253.218.6,92.254.140.140,92.254.153.163,92.254.167.40,92.255.206.207,92.27.125.203,92.27.159.112,92.3.170.225,92.39.220.39,92.42.111.18,92.42.47.30,92.43.104.99,92.46.205.230,92.46.48.19,92.50.171.62,92.50.208.62,92.50.26.45,92.53.64.59,92.53.64.60,92.53.64.90,92.53.76.210,92.53.76.211,92.53.90.143,92.53.90.177,92.53.90.179,92.53.90.181,92.53.90.182,92.53.90.191,92.53.90.198,92.53.90.212,92.53.90.242,92.6.252.81] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 93"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403392; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [92.62.228.17,92.63.197.100,92.63.197.18,92.63.23.128,92.81.125.130,92.81.31.106,92.83.0.82,92.83.177.210,92.83.242.234,92.87.98.2,92.89.109.56,93.102.204.222,93.103.157.128,93.103.192.5,93.113.96.62,93.114.150.139,93.115.28.164,93.115.28.177,93.115.64.104,93.122.144.94,93.123.199.41,93.124.36.114,93.126.62.131,93.149.123.186,93.153.21.208,93.157.144.10,93.157.144.9,93.157.58.131,93.16.144.25,93.170.113.246,93.170.190.215,93.171.208.195,93.171.29.27,93.174.93.143,93.174.93.149,93.174.93.218,93.174.93.241,93.174.95.106,93.176.170.37,93.177.137.68,93.180.21.1,93.183.163.123,93.184.14.41,93.184.206.243,93.184.238.32,93.184.8.142,93.185.75.254,93.186.253.206,93.188.159.229,93.190.206.217] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 94"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403393; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [93.191.113.242,93.191.40.47,93.23.240.112,93.235.99.171,93.241.237.105,93.33.167.145,93.39.228.181,93.41.182.232,93.43.107.241,93.43.12.240,93.43.61.240,93.46.110.93,93.47.149.10,93.48.89.82,93.50.125.249,93.63.184.142,93.75.150.5,93.79.254.250,93.81.159.207,93.84.111.7,93.87.51.154,93.87.51.157,93.87.76.156,93.87.76.53,93.89.225.137,93.89.225.149,93.89.225.157,93.89.225.54,93.89.225.81,93.89.232.16,93.89.232.22,93.89.232.9,93.95.98.40,94.101.181.212,94.101.190.152,94.102.225.106,94.102.49.190,94.102.49.193,94.102.52.195,94.103.12.92,94.110.70.95,94.12.43.246,94.124.117.97,94.124.118.1,94.125.163.125,94.132.230.45,94.133.155.64,94.137.64.2,94.138.26.181,94.141.92.27] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 95"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403394; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [94.156.93.151,94.156.93.152,94.156.93.153,94.156.93.154,94.156.93.155,94.156.93.156,94.156.93.158,94.156.93.159,94.156.93.199,94.156.93.253,94.177.199.161,94.179.133.22,94.180.109.183,94.182.198.22,94.182.209.57,94.182.97.220,94.183.214.44,94.189.181.243,94.191.18.96,94.191.33.211,94.191.90.133,94.191.94.144,94.199.215.50,94.200.185.210,94.201.160.222,94.204.254.147,94.205.66.58,94.207.26.73,94.213.132.65,94.22.85.173,94.221.147.11,94.226.148.22,94.228.31.253,94.229.76.58,94.23.225.175,94.23.240.136,94.23.8.167,94.231.130.172,94.233.73.110,94.241.52.183,94.243.49.98,94.244.6.10,94.245.59.183,94.246.111.168,94.249.192.144,94.254.23.73,94.254.35.29,94.255.186.250,94.255.190.9,94.255.198.12] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 96"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403395; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [94.255.246.177,94.255.246.218,94.255.246.250,94.255.247.114,94.255.247.17,94.255.247.18,94.255.247.25,94.255.247.26,94.27.195.238,94.32.67.212,94.37.28.231,94.50.113.86,94.50.114.151,94.50.114.46,94.50.116.176,94.50.116.74,94.50.118.223,94.50.121.48,94.50.123.205,94.50.124.175,94.50.132.146,94.50.144.174,94.50.146.248,94.50.153.18,94.50.153.193,94.50.156.176,94.50.157.109,94.50.159.219,94.50.205.46,94.50.230.220,94.50.234.46,94.50.236.50,94.50.237.85,94.50.25.71,94.50.54.110,94.5.211.222,94.51.112.87,94.51.114.223,94.51.121.165,94.51.124.58,94.51.125.159,94.51.132.91,94.51.76.8,94.52.1.199,94.61.36.27,94.63.23.174,94.66.242.125,94.71.149.104,94.73.162.68,94.73.221.13] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 97"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403396; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [94.76.133.143,94.77.237.218,94.97.30.219,95.0.13.59,95.0.216.22,95.103.93.99,95.104.112.19,95.105.142.248,95.109.41.102,95.124.255.96,95.135.197.230,95.137.182.15,95.143.113.125,95.152.53.63,95.155.4.181,95.158.153.109,95.160.31.123,95.161.196.66,95.165.198.214,95.167.21.75,95.167.7.164,95.169.143.174,95.170.216.38,95.174.64.195,95.174.67.126,95.174.97.229,95.175.99.43,95.177.137.58,95.179.209.8,95.181.131.211,95.181.178.182,95.181.179.117,95.181.179.70,95.181.3.118,95.181.3.161,95.181.3.181,95.183.42.36,95.21.227.13,95.211.137.68,95.211.217.193,95.213.177.125,95.213.177.126,95.215.0.235,95.215.96.231,95.220.124.152,95.221.48.35,95.242.60.172,95.243.167.84,95.247.241.153,95.27.165.94] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 98"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403397; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [95.27.74.5,95.28.13.5,95.28.189.213,95.31.249.85,95.34.54.82,95.38.213.74,95.42.11.95,95.46.104.37,95.46.116.6,95.53.130.169,95.57.48.94,95.58.18.34,95.58.18.50,95.59.69.246,95.6.45.151,95.6.68.195,95.67.14.59,95.67.14.65,95.68.139.181,95.69.240.142,95.70.182.116,95.71.170.224,95.72.236.152,95.72.61.74,95.79.34.52,95.80.252.132,95.81.202.244,95.81.214.30,95.81.217.108,95.84.143.48,95.84.145.56,95.84.155.87,95.84.160.195,95.84.167.200,95.84.182.140,95.84.186.63,95.84.193.126,95.84.194.202,95.84.195.233,95.84.199.131,95.84.216.132,95.84.223.51,95.84.228.212,95.84.237.222,95.84.251.3,95.85.108.78,95.85.85.58,95.87.24.250,95.90.12.63,95.9.116.78] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 99"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403398; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) alert ip [95.9.130.150,95.9.175.216,95.9.188.210,95.9.242.236,95.9.255.240,95.9.45.63,96.18.33.164,96.230.13.111,96.232.40.112,96.244.55.27,96.29.177.110,96.30.227.218,96.30.75.179,96.33.2.148,96.36.101.238,96.4.166.79,96.4.95.163,96.43.89.132,96.47.232.193,96.51.105.7,96.52.43.198,96.56.105.140,96.58.3.246,96.62.60.194,96.64.15.52,96.64.178.150,96.66.214.89,96.67.102.187,96.67.109.131,96.67.112.219,96.67.224.11,96.72.118.178,96.77.50.121,96.80.251.85,96.8.127.33,96.81.119.22,96.83.149.142,96.83.51.150,96.84.165.99,96.86.252.6,96.87.237.203,96.87.237.210,96.88.228.154,96.9.246.147,97.75.147.237,97.79.2.3,97.88.224.7,97.88.73.124,97.96.1.141,97.99.13.167] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP group 100"; reference:url,www.cinsscore.com; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403399; rev:45778; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag CINS, signature_severity Major, created_at 2013_10_08, updated_at 2018_12_19;) # # $Id: emerging-compromised.rules # Rules to block known hostile or compromised hosts. These lists are updated daily or better from many sources # #Sources include: # # Daniel Gerzo's BruteForceBlocker # http://danger.rulez.sk/projects/bruteforceblocker/ # # The OpenBL # http://www.openbl.org/ (formerly sshbl.org) # # And the Emerging Threats Sandnet and SidReporter Projects # # More information available at www.emergingthreats.net # # Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # VERSION 4922 # Generated 2018-12-19 00:30:01 EDT alert ip [101.231.101.140,103.101.194.70,103.114.106.252,103.115.227.2,103.206.123.175,103.207.36.187,103.218.3.8,103.228.222.249,103.23.102.3,103.23.102.7,103.231.78.221,103.241.146.65,103.243.181.7,103.29.105.150,103.44.144.53,103.5.112.128,103.56.189.134,103.61.44.83,103.63.215.102,103.79.141.224,103.81.134.86,103.85.93.30,103.9.22.98,103.95.197.43,103.9.88.249,104.128.68.78,104.131.146.73,104.131.37.34,104.131.58.247,104.131.90.193] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 1"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500000; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [104.168.144.8,104.168.57.7,104.168.71.104,104.198.154.16,104.199.198.7,104.233.73.213,104.234.223.14,104.236.175.127,104.236.214.8,104.236.38.105,104.236.41.62,104.236.72.187,104.248.11.46,104.248.121.89,104.248.128.101,104.248.135.201,104.248.157.6,104.248.180.163,104.248.182.124,104.248.21.133,104.248.221.109,104.248.223.115,104.248.232.221,104.248.23.238,104.248.237.232,104.248.237.238,104.248.254.51,104.248.28.73,104.248.36.97,104.248.44.44] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 2"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500002; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [104.248.59.105,104.248.64.25,104.248.67.31,104.248.67.57,105.235.201.251,106.12.11.233,106.12.124.186,106.12.36.42,106.12.81.245,106.12.85.203,106.12.95.147,106.51.39.163,106.51.66.214,106.51.72.37,106.51.74.7,107.0.156.82,107.155.164.132,107.170.229.232,107.170.231.130,107.170.95.116,108.170.31.112,108.176.0.2,108.235.160.215,108.61.192.121,109.104.173.46,109.177.157.54,109.202.18.235,109.252.231.164,109.254.254.3,109.73.46.142] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 3"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500004; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [109.74.83.69,110.10.129.170,110.10.189.191,110.141.243.23,110.185.166.137,110.44.126.83,111.167.77.91,111.177.19.7,111.186.56.39,111.200.52.250,111.207.49.184,111.40.120.33,111.74.239.115,112.155.143.87,112.161.175.197,112.166.148.28,112.175.106.151,112.65.170.186,112.95.232.221,113.106.92.60,113.124.205.30,113.137.34.52,113.189.111.41,114.108.181.130,114.112.104.12,114.112.104.13,114.67.62.121,115.146.127.134,115.68.226.124,116.196.76.135] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 4"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500006; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [116.203.20.49,116.231.80.82,116.31.116.2,117.102.88.122,117.156.94.32,117.36.157.226,117.74.120.203,118.140.31.22,118.151.209.119,118.182.77.182,118.192.9.10,118.193.26.58,118.24.196.128,118.24.217.141,118.24.221.190,118.24.91.241,118.25.128.19,118.25.190.84,118.25.230.109,118.25.45.75,118.25.55.87,118.25.62.242,118.25.72.123,118.27.20.185,118.39.225.210,118.45.190.133,118.67.219.101,118.69.37.109,118.89.240.78,118.89.61.228] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 5"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500008; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [118.97.111.210,118.97.213.118,118.98.127.138,119.11.182.131,119.18.155.82,119.192.239.192,119.201.214.130,119.235.24.244,119.28.100.199,119.28.226.230,119.29.147.99,119.29.168.114,119.29.170.202,119.29.191.98,119.29.65.240,119.97.170.34,120.131.9.177,120.132.101.20,120.132.68.249,120.92.19.174,121.12.151.250,121.183.203.60,121.190.102.54,121.22.80.117,121.237.247.243,121.241.247.176,121.67.246.139,121.88.250.84,122.114.166.173,122.146.86.11] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 6"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500010; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [122.152.194.198,122.154.139.129,122.154.35.164,122.165.119.22,122.224.214.18,122.228.244.100,122.37.21.33,123.157.164.165,123.207.142.31,123.207.229.71,1.237.178.27,124.117.238.228,124.6.139.242,125.134.251.45,125.139.180.128,125.18.149.34,125.209.108.165,125.212.203.113,125.227.77.88,125.46.49.120,125.67.237.15,125.75.47.46,125.94.44.113,128.199.102.157,128.199.107.225,128.199.108.121,128.199.108.25,128.199.128.215,128.199.140.214,128.199.145.205] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 7"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500012; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [128.199.189.192,128.199.202.206,128.199.220.232,128.199.230.56,128.199.235.173,128.199.37.142,128.199.82.13,128.199.85.125,128.199.86.24,128.199.86.89,128.199.87.213,129.204.18.89,129.205.15.174,12.96.122.37,130.61.54.191,132.232.105.220,132.232.46.186,13.251.251.70,133.130.89.28,134.175.12.105,134.175.39.108,136.24.115.104,136.243.168.34,13.64.79.207,13.67.50.214,137.116.207.14,137.116.86.33,137.63.184.139,137.74.112.125,137.74.202.166] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 8"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500014; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [137.74.26.179,138.197.106.54,138.197.137.95,138.197.195.194,138.197.31.190,138.197.44.25,138.197.5.191,138.197.73.155,138.255.0.12,138.68.104.242,138.68.109.5,138.68.12.43,138.68.131.225,138.68.167.71,138.68.253.236,138.68.31.105,138.68.40.43,138.68.78.196,138.68.87.0,138.68.95.223,13.91.52.195,139.198.18.240,139.199.207.137,139.199.207.31,139.255.83.52,13.93.75.219,139.59.106.82,139.59.128.195,139.59.130.225,139.59.135.26] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 9"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500016; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [139.59.146.113,139.59.15.159,139.59.165.4,139.59.170.48,139.59.173.17,139.59.225.138,139.59.230.18,139.59.23.79,139.59.39.49,139.59.46.243,139.59.65.128,139.59.93.89,140.143.136.89,140.143.138.69,140.143.151.93,140.143.157.207,140.143.197.220,140.143.201.236,140.143.208.42,140.143.28.139,14.102.154.66,14.1.29.76,14.139.60.53,14.142.178.103,14.18.100.90,141.85.160.16,141.85.224.117,142.176.173.142,142.44.184.156,142.93.100.148] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 10"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500018; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [142.93.108.2,142.93.109.33,142.93.118.186,142.93.125.238,142.93.135.158,142.93.160.109,142.93.168.8,142.93.18.15,142.93.218.128,142.93.241.93,142.93.245.81,142.93.25.227,142.93.255.76,142.93.68.151,142.93.88.101,142.93.88.170,143.255.129.98,144.217.103.172,144.217.165.197,144.217.165.52,144.217.42.212,144.217.54.187,144.217.79.233,145.239.81.103,145.249.104.196,14.63.221.108,147.135.208.109,147.135.211.21,148.101.229.219,149.202.196.79] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 11"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500020; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [149.202.234.211,149.202.32.223,149.28.146.89,149.56.15.98,149.56.27.127,150.109.194.36,150.109.44.53,150.131.194.143,150.217.73.228,150.242.15.46,150.95.66.109,151.182.106.5,151.80.140.166,151.80.144.255,151.80.144.39,151.80.155.98,152.249.246.65,153.254.115.57,154.211.14.209,154.8.216.11,154.8.219.151,154.91.201.237,155.0.32.9,155.4.226.134,156.237.129.214,157.230.12.57,157.253.205.71,157.92.26.222,158.69.110.31,158.69.197.113] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 12"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500022; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [158.69.212.254,159.203.12.180,159.203.139.128,159.203.170.121,159.203.171.199,159.203.179.230,159.203.27.150,159.203.67.146,159.203.99.19,159.65.111.89,159.65.112.93,159.65.114.94,159.65.12.204,159.65.147.218,159.65.162.8,159.65.179.4,159.65.199.33,159.65.207.87,159.65.226.15,159.65.230.251,159.65.239.104,159.65.30.66,159.65.34.82,159.65.5.209,159.65.88.2,159.65.94.135,159.65.99.90,159.89.101.178,159.89.106.145,159.89.115.126] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 13"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500024; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [159.89.12.0,159.89.151.124,159.89.158.161,159.89.170.154,159.89.173.56,159.89.180.93,159.89.205.73,159.89.238.243,159.89.32.222,159.89.38.0,159.89.54.241,159.89.80.104,160.119.248.238,160.16.115.116,160.20.15.113,160.20.188.192,161.132.195.76,162.201.90.36,162.219.176.186,162.241.201.128,162.243.102.34,162.243.10.64,162.243.158.198,162.243.226.222,163.13.115.20,163.158.153.56,163.172.155.182,163.172.156.106,163.172.35.93,163.172.53.188] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 14"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500026; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [163.172.71.131,163.53.150.134,164.132.107.245,164.132.205.21,164.132.228.213,164.132.43.198,164.132.51.216,164.132.56.243,164.77.52.230,165.227.11.173,165.227.17.252,165.227.184.21,165.227.213.46,165.227.5.206,165.227.5.57,165.227.66.87,165.227.9.145,165.227.93.58,167.114.155.116,167.114.234.173,167.114.235.137,167.114.76.175,167.98.62.6,167.99.100.127,167.99.133.23,167.99.140.209,167.99.144.82,167.99.162.197,167.99.173.0,167.99.180.229] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 15"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500028; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [167.99.194.197,167.99.194.54,167.99.202.197,167.99.212.134,167.99.221.140,167.99.221.99,167.99.236.45,167.99.3.40,167.99.4.112,167.99.54.4,167.99.66.83,167.99.75.74,167.99.79.191,167.99.80.191,167.99.84.229,167.99.84.60,168.131.122.170,168.194.140.130,168.194.163.110,168.197.240.12,169.48.64.250,170.210.60.25,170.210.88.50,171.11.231.58,171.50.207.216,173.248.242.154,173.249.0.177,173.249.31.76,173.249.5.140,173.249.51.81] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 16"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500030; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [174.138.17.18,174.138.4.137,174.83.89.225,175.118.69.8,175.142.59.85,175.143.100.125,175.215.62.195,175.42.200.178,175.6.5.52,176.111.72.225,176.118.55.178,176.31.100.19,176.31.182.158,176.31.191.61,176.31.253.105,177.103.179.92,177.103.187.159,177.124.89.14,177.19.181.10,177.233.8.83,177.43.249.186,177.69.118.197,177.86.127.79,177.94.224.157,178.128.107.147,178.128.107.61,178.128.112.98,178.128.119.59,178.128.13.21,178.128.144.227] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 17"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500032; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [178.128.201.224,178.128.204.135,178.128.210.61,178.128.215.16,178.128.215.202,178.128.221.237,178.128.254.89,178.128.59.191,178.128.75.54,178.128.81.136,178.128.97.174,178.159.249.66,178.16.20.66,178.26.134.234,178.32.105.63,178.32.137.119,178.33.169.140,178.33.169.152,178.33.169.154,178.33.233.146,178.33.233.54,178.62.193.179,178.62.201.159,178.62.204.176,178.62.214.85,178.62.252.89,178.62.61.192,178.62.94.180,178.63.68.84,179.159.114.30] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 18"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500034; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [179.185.67.221,179.228.242.120,180.101.45.68,180.159.157.41,180.167.10.39,180.167.93.22,180.170.215.131,180.196.97.70,180.250.115.98,180.250.159.50,180.250.248.39,180.76.162.45,180.76.51.114,180.97.197.232,181.115.248.125,181.135.133.216,181.188.187.139,181.188.208.46,181.28.191.54,181.40.76.162,181.58.119.34,182.18.162.136,18.223.108.52,182.23.18.194,18.224.129.21,182.61.13.138,182.71.188.10,183.107.101.201,183.107.101.213,183.107.101.240] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 19"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500036; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [183.107.101.246,183.107.101.252,183.110.253.146,183.136.239.37,183.82.106.77,184.58.139.187,185.103.16.25,185.130.225.67,185.143.223.191,185.144.14.148,185.148.38.112,185.148.38.44,185.15.173.83,185.153.196.24,185.154.110.154,185.184.24.186,185.189.115.37,185.207.232.232,185.227.110.251,185.238.72.255,185.241.4.160,185.244.25.194,185.245.96.209,185.254.120.6,185.254.97.113,185.35.137.85,185.39.203.148,185.43.209.158,185.52.1.9,185.54.178.38] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 20"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500038; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [185.61.44.72,185.79.251.116,185.86.193.68,185.89.129.70,186.120.187.234,186.15.24.34,186.207.162.26,186.223.130.160,186.24.43.28,186.249.209.22,186.250.48.17,186.68.141.108,186.96.102.198,187.1.171.98,187.167.73.69,187.16.96.35,187.178.175.199,187.188.146.35,187.188.84.214,187.190.236.88,187.190.252.120,187.19.49.74,187.19.62.11,187.51.6.218,187.8.167.210,187.95.182.164,188.0.133.241,188.131.148.40,188.165.178.193,188.165.224.141] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 21"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500040; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [188.165.242.200,188.166.109.131,188.166.13.45,188.166.149.81,188.166.171.252,188.166.17.82,188.166.1.95,188.166.213.254,188.166.238.9,188.166.243.150,188.166.46.47,188.166.81.123,188.166.93.231,188.213.165.8,188.219.40.66,188.254.96.132,188.2.61.41,188.40.168.138,188.95.226.94,189.125.2.234,190.0.56.254,190.13.231.21,190.14.247.90,190.153.219.50,190.153.222.250,190.163.32.185,190.166.162.193,190.186.55.91,190.3.114.110,190.98.228.53] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 22"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500042; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [191.102.99.172,191.186.131.181,191.37.68.8,192.0.160.81,192.144.137.95,192.166.218.31,192.241.176.17,192.241.218.222,192.241.227.172,192.241.246.50,192.252.209.190,192.99.14.119,192.99.252.97,192.99.36.76,193.112.3.110,193.112.88.80,193.193.67.82,193.201.224.194,193.201.224.8,193.248.32.156,193.252.7.22,193.253.47.65,193.70.0.42,193.70.26.50,193.70.39.84,193.70.79.213,193.70.85.206,193.70.91.115,194.110.211.196,194.30.64.101] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 23"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500044; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [194.36.173.228,194.36.173.229,194.61.24.110,194.61.24.117,194.61.24.134,194.61.27.222,194.61.27.55,195.123.240.143,195.138.78.160,195.145.171.156,195.154.171.171,195.154.207.115,195.154.233.159,195.154.48.111,195.201.22.119,195.22.141.33,195.84.49.20,196.189.255.5,196.200.49.150,196.203.83.1,196.35.157.124,196.43.133.126,197.156.88.195,197.216.3.224,197.50.95.190,198.144.184.122,198.199.123.9,198.211.110.97,198.23.189.18,198.27.67.173] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 24"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500046; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [198.46.182.139,198.98.53.194,199.180.133.129,199.180.133.182,199.187.123.157,199.19.224.83,199.19.225.65,199.19.226.226,200.116.105.213,200.188.133.91,200.196.240.60,200.236.22.213,200.44.50.155,200.48.27.147,200.50.67.105,200.54.51.126,200.90.11.218,201.145.204.74,201.17.130.197,201.212.168.67,201.217.54.211,201.218.209.83,202.112.180.69,202.120.47.213,202.130.121.50,202.131.227.60,202.137.10.186,202.142.217.131,202.154.56.238,202.158.64.18] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 25"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500048; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [202.166.206.166,202.29.237.77,202.29.30.206,202.29.98.39,202.51.74.78,202.65.148.98,202.65.154.100,202.65.154.101,202.71.176.113,202.71.176.121,202.75.216.136,203.101.176.154,203.113.25.6,203.170.145.26,203.195.149.112,203.198.158.147,203.223.131.196,203.223.159.44,203.229.196.132,203.73.132.169,203.86.8.44,204.48.21.117,204.85.191.38,205.129.191.187,205.185.115.48,205.185.118.238,205.185.120.192,205.185.121.241,205.185.124.107,205.185.126.201] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 26"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500050; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [206.189.100.77,206.189.112.167,206.189.126.136,206.189.127.175,206.189.127.6,206.189.130.225,206.189.141.49,206.189.149.126,206.189.158.230,206.189.225.85,206.189.232.29,206.189.239.156,206.189.3.162,206.189.75.170,206.189.81.182,206.189.83.245,206.189.90.210,207.154.201.27,207.180.203.241,207.180.250.202,207.253.210.56,209.141.33.57,209.141.33.72,209.141.36.84,209.141.40.127,209.141.49.123,209.141.50.57,209.141.51.29,209.141.53.249,209.141.53.94] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 27"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500052; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [209.141.60.206,209.141.62.36,209.250.224.125,209.97.142.250,209.97.143.101,209.97.163.46,209.97.164.5,209.97.171.132,209.97.173.192,209.97.185.47,209.97.189.84,210.12.73.217,210.209.82.175,210.209.89.160,210.5.120.237,210.61.97.145,210.9.148.206,211.110.140.77,211.181.197.181,211.226.176.47,211.252.84.20,211.253.25.21,211.253.27.171,212.114.60.200,212.145.227.246,212.195.196.45,212.224.125.240,212.224.125.247,212.230.156.160,212.235.37.130] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 28"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500054; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [212.237.14.193,212.237.2.55,212.237.53.15,212.34.228.170,212.44.65.22,212.47.239.29,212.72.214.40,212.89.171.146,212.92.124.101,213.186.170.226,213.215.179.114,213.234.26.179,213.255.5.20,213.26.2.162,213.32.91.37,213.32.97.165,213.41.102.5,213.79.122.137,216.169.152.133,217.128.99.119,217.170.205.77,217.182.204.107,217.182.74.125,217.182.79.139,217.182.95.16,217.19.148.142,217.40.104.61,217.64.105.134,217.8.49.195,217.92.99.172] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 29"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500056; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [218.148.136.1,218.17.157.72,218.19.141.70,218.26.168.3,218.28.90.246,218.4.168.82,218.60.28.195,218.93.241.173,219.146.137.26,219.153.15.122,219.240.64.110,220.117.172.98,220.128.119.251,220.130.178.36,220.133.198.188,220.247.174.203,220.85.111.168,220.90.129.103,220.95.232.137,221.11.92.82,221.125.235.4,221.203.38.14,221.204.177.165,221.2.158.154,221.216.57.23,221.236.187.36,221.7.13.54,222.122.50.237,222.122.51.242,222.128.93.67] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 30"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500058; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [222.134.47.2,222.186.50.204,222.187.224.15,222.233.52.185,222.240.233.210,222.87.49.93,223.111.136.213,223.171.32.55,223.171.32.56,223.171.32.66,223.197.201.154,223.89.72.102,223.89.72.141,223.89.72.152,23.100.127.57,23.130.192.130,23.21.34.77,23.225.129.30,2.32.80.60,24.103.40.86,24.157.240.106,24.197.169.8,24.21.9.212,24.238.16.122,24.37.196.182,24.37.29.246,24.49.175.75,27.116.18.158,27.32.120.206,27.74.245.136] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 31"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500060; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [27.82.195.171,31.14.133.167,31.14.139.27,31.168.250.174,31.168.73.2,31.207.35.138,31.211.80.204,34.202.100.176,34.212.82.25,34.254.148.16,35.184.165.231,35.194.222.250,35.201.9.203,35.203.111.58,35.204.180.129,35.220.168.193,35.225.235.131,35.227.26.43,35.235.64.241,35.236.239.36,35.236.79.13,35.237.3.56,35.237.36.246,35.245.177.218,36.110.182.68,36.248.211.253,36.41.185.111,36.99.34.70,37.107.78.168,37.139.20.56] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 32"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500062; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [37.187.0.20,37.187.110.186,37.187.114.136,37.187.118.14,37.187.147.84,37.187.25.138,37.187.54.45,37.195.105.57,37.48.76.51,37.49.224.198,37.49.225.223,37.49.227.153,37.59.100.22,37.59.110.165,37.59.35.147,37.59.62.23,37.59.99.243,38.78.210.2,40.112.51.228,40.113.216.196,40.113.219.180,40.68.21.0,40.76.61.76,40.89.160.139,41.214.20.60,41.222.196.57,41.223.4.155,41.231.54.126,41.89.96.81,42.123.97.3] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 33"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500064; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [43.225.180.227,43.225.180.45,43.228.245.80,43.228.71.14,43.240.97.186,43.254.53.148,43.255.31.122,45.117.30.235,45.119.212.105,45.119.83.195,45.122.222.253,45.225.25.35,45.248.86.155,45.55.145.31,45.55.156.153,45.55.156.159,45.55.243.106,45.55.254.13,45.55.35.40,45.55.67.128,45.55.93.159,45.63.37.31,45.64.1.166,45.70.15.148,45.77.121.167,46.101.103.207,46.101.106.24,46.101.118.166,46.101.14.183,46.101.192.45] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 34"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500066; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [46.101.225.187,46.101.228.166,46.101.22.87,46.101.230.131,46.101.238.207,46.101.56.230,46.105.163.94,46.105.36.238,46.148.21.32,46.174.115.14,46.189.55.130,46.219.3.139,46.227.244.34,46.246.38.141,46.246.41.142,46.246.42.16,46.246.44.134,46.246.45.171,46.246.63.161,46.251.239.75,46.251.239.77,46.29.160.27,46.37.21.62,46.45.143.35,46.7.80.194,47.140.188.208,47.180.162.186,47.205.245.164,47.22.130.82,49.247.212.15] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 35"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500068; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [49.248.167.102,50.202.207.81,50.21.180.85,50.248.154.57,50.28.32.251,50.7.155.86,5.101.1.19,5.101.65.162,51.145.137.251,51.15.148.170,51.15.195.156,51.15.40.120,51.15.68.150,51.158.20.35,51.15.98.148,51.254.101.74,51.254.112.58,51.254.125.33,51.254.140.108,51.254.201.64,51.254.38.52,51.254.39.23,51.254.47.198,51.254.97.224,51.255.174.164,51.255.194.249,51.255.197.18,51.255.35.58,51.255.44.46,51.255.83.44] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 36"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500070; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [51.255.91.75,5.132.126.15,5.135.152.97,5.135.180.133,5.135.181.11,5.135.185.155,51.38.126.172,51.38.128.30,51.38.133.110,51.38.133.136,51.38.176.147,51.38.185.238,51.38.231.249,51.38.237.214,51.38.48.127,51.38.58.42,51.38.68.193,51.38.82.60,51.68.122.5,51.68.123.198,51.68.141.225,51.68.198.119,51.68.227.49,51.68.44.126,51.68.82.218,51.75.120.244,51.75.122.16,51.75.123.184,51.75.124.43,51.75.126.137] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 37"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500072; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [51.75.142.40,51.75.16.138,51.75.16.93,51.75.200.16,51.75.207.61,51.75.23.199,51.75.24.207,51.75.246.179,51.75.247.138,51.75.251.33,51.75.26.106,51.75.26.236,51.75.28.166,51.75.28.50,51.75.29.64,51.75.34.88,51.75.67.193,51.77.141.158,51.77.146.247,5.189.147.108,5.189.171.24,5.196.66.30,5.196.70.227,5.196.75.42,5.196.75.47,52.142.221.80,52.172.142.80,5.228.248.50,52.74.206.191,52.80.17.227] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 38"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500074; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [5.39.68.229,5.39.77.117,5.39.85.220,54.153.0.121,54.36.162.74,54.36.181.173,54.36.189.143,54.36.189.240,54.36.47.248,54.37.14.3,54.37.149.175,54.37.158.40,54.37.210.25,54.37.232.137,54.37.254.57,54.37.31.242,54.37.82.213,54.38.214.95,54.38.34.11,54.39.45.95,58.120.227.29,58.135.224.45,58.185.168.45,58.187.24.143,58.187.24.200,58.214.218.36,58.218.205.248,58.218.213.11,58.218.213.156,58.218.66.96] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 39"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500076; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [58.238.187.240,5.83.160.192,5.83.162.36,5.83.163.234,58.38.224.89,58.87.122.190,58.87.124.200,58.87.90.33,59.120.243.8,59.120.57.247,59.127.172.234,59.152.100.134,59.175.144.22,60.250.243.186,60.251.211.241,60.54.119.170,61.126.46.148,61.137.151.135,61.19.246.239,61.219.45.81,61.237.144.140,61.39.198.160,61.84.7.222,62.119.14.198,62.173.145.147,62.218.23.244,62.234.104.99,62.234.8.41,63.135.16.12,65.31.17.204] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 40"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500078; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [66.219.25.84,66.242.170.49,66.70.179.213,67.171.17.78,67.205.142.246,67.205.153.16,67.205.167.142,67.205.177.0,68.132.139.19,68.178.91.34,68.183.100.62,68.183.101.78,68.183.112.15,68.183.113.232,68.183.120.30,68.183.124.72,68.183.131.252,68.183.134.93,68.183.135.211,68.183.137.118,68.183.137.154,68.183.16.68,68.183.21.151,68.183.230.186,68.183.49.49,68.183.52.89,68.183.55.81,68.183.60.150,68.183.62.109,68.183.68.76] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 41"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500080; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [68.183.73.159,68.183.78.99,69.162.65.34,69.55.54.20,69.60.21.172,70.24.189.203,70.35.197.239,70.37.53.169,71.179.163.188,73.108.52.30,73.118.83.233,73.14.210.177,73.15.91.251,73.243.42.250,73.26.245.243,73.53.95.248,74.50.211.150,75.106.25.5,75.90.94.180,76.77.176.50,76.85.64.152,77.231.66.164,77.59.223.6,78.100.18.81,78.139.9.6,78.142.29.118,78.193.8.166,78.36.200.208,78.36.7.170,78.46.94.247] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 42"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500082; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [79.11.169.178,79.134.4.138,79.137.75.32,79.137.82.213,79.157.102.101,79.162.250.134,79.177.82.221,79.2.22.244,79.83.246.80,80.121.154.116,80.211.109.70,80.211.110.159,80.211.113.140,80.211.114.24,80.211.14.153,80.211.2.206,80.211.38.77,80.211.43.160,80.211.51.18,80.211.64.244,80.211.72.118,80.211.81.141,80.211.85.241,80.227.38.93,80.82.112.243,80.82.46.19,80.82.51.103,80.82.67.246,80.87.33.134,80.95.188.129] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 43"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500084; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [80.95.96.61,81.154.9.226,81.174.227.27,81.174.39.219,81.217.48.144,81.47.128.178,81.93.75.71,82.123.7.162,82.146.61.36,82.165.64.120,82.196.12.151,82.200.204.254,82.242.169.217,82.253.102.182,82.64.74.91,82.64.8.34,83.202.59.182,83.212.103.26,83.222.220.58,83.228.53.153,84.200.113.171,84.53.201.116,85.125.193.122,85.152.27.19,85.198.112.3,85.202.82.107,85.24.197.205,86.101.52.52,86.20.97.248,86.229.60.77] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 44"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500086; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [86.243.38.54,86.246.107.189,87.106.240.134,87.237.235.37,87.26.173.231,87.64.139.220,87.98.182.87,88.117.174.118,88.119.154.139,88.212.241.118,89.163.231.222,89.191.9.132,89.222.181.58,89.223.94.206,89.248.162.159,89.248.172.85,89.28.205.18,89.36.220.19,89.36.222.85,89.39.142.35,89.40.127.167,89.46.100.165,89.87.224.206,90.120.175.111,90.63.218.214,90.74.53.130,91.119.237.203,91.121.110.50,91.121.119.195,91.121.136.47] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 45"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500088; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [91.121.154.100,91.121.174.88,91.121.211.34,91.121.236.146,91.121.64.68,91.121.7.107,91.121.85.30,91.134.203.217,91.134.240.226,91.134.241.32,91.202.132.172,91.207.175.168,91.210.224.195,91.217.34.129,91.222.61.252,91.225.134.198,91.234.241.55,91.236.116.214,91.46.13.104,91.65.22.109,92.222.218.139,92.222.24.68,92.222.64.26,92.222.75.72,92.249.219.167,92.253.176.129,92.38.124.254,92.86.142.5,93.114.66.32,93.123.114.171] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 46"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500090; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) alert ip [93.185.75.99,93.186.57.106,93.244.246.200,93.42.117.137,93.43.119.9,93.89.190.250,94.101.181.238,94.130.109.106,94.135.173.134,94.177.190.19,94.230.136.33,94.23.216.27,94.23.30.183,94.233.30.122,94.23.55.228,94.25.38.210,94.25.38.211,95.153.80.235,95.167.39.12,95.211.197.166,95.213.164.202,95.215.1.182,95.58.194.148,95.59.223.206,95.85.30.24,96.22.12.212,96.67.189.180,96.67.205.234,98.209.70.36,98.29.18.52] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or Hostile Host Traffic group 47"; reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2500092; rev:4922; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag COMPROMISED, signature_severity Major, created_at 2011_04_28, updated_at 2018_12_19;) # # $Id: emerging-drop.rules $ # Emerging Threats Spamhaus DROP List rules. # # Rules to block Spamhaus DROP listed networks (www.spamhaus.org) # # More information available at www.emergingthreats.net # # Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # # VERSION 2685 # Generated 2018-12-16 00:05:01 EDT alert ip [14.4.0.0/14,23.226.48.0/20,23.251.224.0/19,24.233.0.0/19,27.126.160.0/20,27.146.0.0/16,31.11.43.0/24,31.222.200.0/21,36.0.8.0/21,36.37.48.0/20,36.93.0.0/16,36.116.0.0/16,36.119.0.0/16,37.148.216.0/21,37.246.0.0/16,42.0.32.0/19,42.1.128.0/17,42.96.0.0/18,42.128.0.0/12,42.160.0.0/12] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 1"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400000; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [43.250.116.0/22,43.252.80.0/22,43.252.152.0/22,43.252.180.0/22,45.4.128.0/22,45.4.136.0/22,45.6.48.0/22,45.43.128.0/18,45.65.188.0/22,45.114.224.0/22,45.117.208.0/22,45.121.204.0/22,45.127.36.0/22,46.232.192.0/21,46.243.140.0/24,46.243.142.0/24,49.8.0.0/14,49.238.64.0/18,58.14.0.0/15,60.233.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 2"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400001; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [67.220.224.0/19,74.114.148.0/22,74.118.60.0/22,74.122.56.0/21,79.110.17.0/24,79.110.18.0/24,79.110.19.0/24,79.110.25.0/24,79.173.104.0/21,83.175.0.0/18,84.238.160.0/22,85.121.39.0/24,86.55.40.0/23,86.55.42.0/23,91.196.180.0/22,91.197.196.0/22,91.200.12.0/22,91.200.248.0/22,91.208.52.0/24,91.209.12.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 3"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400002; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [91.235.2.0/24,91.236.74.0/23,91.238.82.0/24,91.240.165.0/24,91.247.76.0/22,93.179.89.0/24,93.179.90.0/24,93.179.91.0/24,101.192.0.0/14,101.202.0.0/16,101.203.128.0/19,101.248.0.0/15,101.252.0.0/15,103.2.44.0/22,103.16.76.0/24,103.23.8.0/22,103.32.132.0/22,103.36.64.0/22,103.57.248.0/22,103.63.0.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 4"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400003; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [103.215.80.0/22,103.219.152.0/22,103.228.60.0/22,103.229.36.0/22,103.229.40.0/22,103.230.144.0/22,103.232.136.0/22,103.232.172.0/22,103.236.32.0/22,103.239.28.0/22,103.243.8.0/22,104.153.112.0/21,104.153.244.0/22,104.219.88.0/21,104.222.160.0/19,104.233.0.0/18,104.239.0.0/17,104.243.192.0/20,104.250.192.0/19,104.255.56.0/21] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 5"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400004; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [116.144.0.0/15,116.146.0.0/15,116.206.16.0/22,117.58.0.0/17,117.120.64.0/18,119.42.52.0/22,119.58.0.0/16,119.232.0.0/16,120.48.0.0/15,121.46.124.0/22,121.100.128.0/18,122.129.0.0/18,122.185.0.0/16,123.136.80.0/20,123.249.0.0/16,124.20.0.0/16,124.68.0.0/15,124.157.0.0/18,124.242.0.0/16,125.31.192.0/18] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 6"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400005; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [128.94.0.0/16,128.188.0.0/16,129.160.0.0/16,130.21.0.0/16,130.148.0.0/16,130.196.0.0/16,130.222.0.0/16,131.72.20.0/22,131.72.208.0/22,131.108.16.0/22,131.108.232.0/22,131.143.0.0/16,131.200.0.0/16,132.255.132.0/22,134.18.0.0/16,134.22.0.0/16,134.23.0.0/16,134.33.0.0/16,134.62.0.0/15,134.127.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 7"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400006; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [137.55.0.0/16,137.72.0.0/16,137.76.0.0/16,137.105.0.0/16,137.114.0.0/16,137.171.0.0/16,137.218.0.0/16,138.31.0.0/16,138.36.92.0/22,138.36.136.0/22,138.43.0.0/16,138.52.0.0/16,138.59.4.0/22,138.59.204.0/22,138.94.120.0/22,138.94.144.0/22,138.94.216.0/22,138.97.156.0/22,138.122.192.0/22,138.125.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 8"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400007; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [138.240.0.0/16,138.249.0.0/16,139.188.0.0/16,140.167.0.0/16,141.136.22.0/24,141.136.27.0/24,141.178.0.0/16,141.253.0.0/16,142.4.160.0/19,142.102.0.0/16,143.0.236.0/22,143.49.0.0/16,143.64.0.0/16,143.135.0.0/16,143.137.228.0/22,144.207.0.0/16,145.231.0.0/16,146.3.0.0/16,146.183.0.0/16,146.202.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 9"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400008; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [148.154.0.0/16,148.178.0.0/16,148.185.0.0/16,148.248.0.0/16,149.118.0.0/16,149.143.64.0/18,150.10.0.0/16,150.22.128.0/17,150.25.0.0/16,150.40.0.0/16,150.107.106.0/23,150.121.0.0/16,150.126.0.0/16,150.129.136.0/22,150.129.212.0/22,150.129.228.0/22,150.141.0.0/16,150.242.100.0/22,150.242.120.0/22,150.242.144.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 10"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400009; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [153.14.0.0/16,153.52.0.0/14,153.93.0.0/16,155.11.0.0/16,155.40.0.0/16,155.66.0.0/16,155.71.0.0/16,155.73.0.0/16,155.108.0.0/16,155.204.0.0/16,155.249.0.0/16,157.115.0.0/16,157.162.0.0/16,157.186.0.0/16,157.195.0.0/16,158.54.0.0/16,158.90.0.0/17,158.249.0.0/16,159.80.0.0/16,159.85.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 11"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400010; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [160.14.0.0/16,160.21.0.0/16,160.117.0.0/16,160.124.0.0/16,160.180.0.0/16,160.181.0.0/16,160.188.0.0/16,160.200.0.0/16,160.235.0.0/16,160.240.0.0/16,160.255.0.0/16,161.0.0.0/19,161.0.68.0/22,161.1.0.0/16,161.66.0.0/16,161.189.0.0/16,162.208.124.0/22,162.212.188.0/22,162.213.232.0/22,162.222.128.0/21] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 12"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400011; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [163.59.0.0/16,163.250.0.0/16,163.254.0.0/16,164.6.0.0/16,164.60.0.0/16,164.79.0.0/16,164.137.0.0/16,165.52.0.0/14,165.102.0.0/16,165.192.0.0/16,165.205.0.0/16,165.209.0.0/16,166.117.0.0/16,167.74.0.0/18,167.88.48.0/20,167.97.0.0/16,167.103.0.0/16,167.158.0.0/16,167.162.0.0/16,167.175.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 13"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400012; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [168.129.0.0/16,168.181.52.0/22,168.195.76.0/22,168.196.236.0/22,168.196.240.0/22,168.205.72.0/22,168.227.128.0/22,168.227.140.0/22,170.67.0.0/16,170.83.232.0/22,170.113.0.0/16,170.114.0.0/16,170.120.0.0/16,170.179.0.0/16,170.244.40.0/22,170.244.240.0/22,170.245.40.0/22,170.247.220.0/22,171.25.0.0/17,171.25.212.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 14"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400013; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [176.65.128.0/19,176.97.116.0/22,177.36.16.0/20,177.74.160.0/20,177.91.0.0/22,177.234.136.0/21,178.16.80.0/20,179.42.64.0/19,180.178.192.0/18,180.236.0.0/14,181.177.64.0/18,181.215.247.0/24,184.169.64.0/19,185.17.96.0/22,185.35.136.0/22,185.46.84.0/22,185.50.250.0/24,185.50.251.0/24,185.64.20.0/22,185.68.156.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 15"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400014; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [185.106.94.0/24,185.127.24.0/22,185.132.4.0/22,185.133.20.0/22,185.135.140.0/22,185.135.184.0/22,185.137.219.0/24,185.140.108.0/22,185.141.188.0/22,185.146.20.0/22,185.146.28.0/22,185.147.140.0/22,185.148.44.0/22,185.148.128.0/22,185.149.112.0/22,185.150.84.0/22,185.151.48.0/22,185.152.36.0/22,185.152.248.0/22,185.154.20.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 16"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400015; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [185.166.68.0/22,185.166.144.0/22,185.167.116.0/22,185.175.140.0/22,185.176.224.0/22,185.178.164.0/22,185.184.192.0/22,185.185.48.0/22,185.187.236.0/22,185.189.140.0/22,185.194.120.0/22,185.195.160.0/22,185.196.96.0/22,185.197.120.0/22,185.198.212.0/22,185.199.240.0/22,185.202.32.0/22,185.202.88.0/22,185.203.192.0/22,185.204.100.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 17"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400016; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [185.208.24.0/22,185.208.128.0/22,185.209.92.0/22,185.209.240.0/22,185.210.212.0/22,185.211.40.0/22,185.212.56.0/22,185.212.176.0/22,185.212.244.0/22,185.213.176.0/22,185.213.220.0/22,185.215.116.0/22,185.217.216.0/22,185.219.32.0/22,185.221.236.0/22,185.222.220.0/22,185.223.132.0/22,185.223.244.0/22,185.223.248.0/22,185.224.104.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 18"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400017; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [185.237.60.0/22,185.238.104.0/22,185.239.24.0/22,185.239.32.0/22,185.239.104.0/22,185.240.16.0/22,185.241.72.0/22,185.241.192.0/22,185.242.120.0/22,185.244.176.0/22,185.245.112.0/22,185.247.172.0/22,186.65.112.0/20,186.179.0.0/18,188.172.160.0/19,188.247.135.0/24,188.247.230.0/24,190.123.208.0/20,190.185.108.0/22,191.101.167.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 19"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400018; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [192.40.29.0/24,192.43.153.0/24,192.43.154.0/23,192.43.156.0/22,192.43.160.0/24,192.43.175.0/24,192.43.176.0/21,192.43.184.0/24,192.46.192.0/18,192.54.110.0/24,192.67.16.0/24,192.86.85.0/24,192.88.74.0/24,192.100.142.0/24,192.101.44.0/24,192.101.181.0/24,192.101.200.0/21,192.101.240.0/21,192.101.248.0/23,192.133.3.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 20"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400019; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [192.190.49.0/24,192.190.97.0/24,192.195.150.0/24,192.197.87.0/24,192.203.252.0/24,192.206.114.0/24,192.219.120.0/21,192.219.128.0/18,192.219.192.0/20,192.219.208.0/21,192.226.16.0/20,192.229.32.0/19,192.231.66.0/24,192.234.189.0/24,192.245.101.0/24,192.251.231.0/24,193.9.158.0/24,193.25.48.0/20,193.26.64.0/19,193.46.172.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 21"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400020; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [194.15.44.0/22,194.29.185.0/24,195.182.57.0/24,195.191.56.0/23,195.191.102.0/23,195.210.96.0/19,196.1.109.0/24,196.42.128.0/17,196.63.0.0/16,196.196.0.0/16,196.199.0.0/16,197.154.0.0/16,197.159.80.0/21,198.13.0.0/20,198.14.160.0/19,198.20.16.0/20,198.45.32.0/20,198.45.64.0/19,198.56.64.0/18,198.57.64.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 22"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400021; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [198.148.212.0/24,198.151.16.0/20,198.151.64.0/18,198.151.152.0/22,198.160.205.0/24,198.169.201.0/24,198.177.175.0/24,198.177.176.0/22,198.177.180.0/24,198.177.214.0/24,198.178.64.0/19,198.179.22.0/24,198.181.64.0/19,198.181.96.0/20,198.183.32.0/19,198.184.193.0/24,198.184.208.0/24,198.186.25.0/24,198.186.208.0/24,198.187.64.0/18] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 23"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400022; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [198.206.140.0/24,198.212.132.0/24,199.5.152.0/23,199.5.229.0/24,199.26.137.0/24,199.26.207.0/24,199.26.251.0/24,199.33.222.0/24,199.34.128.0/18,199.46.32.0/19,199.60.102.0/24,199.71.56.0/21,199.71.192.0/20,199.84.55.0/24,199.84.56.0/22,199.84.60.0/24,199.84.64.0/19,199.88.32.0/20,199.88.48.0/22,199.89.16.0/20] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 24"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400023; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [199.185.192.0/20,199.196.192.0/19,199.198.160.0/20,199.198.176.0/21,199.198.184.0/23,199.198.188.0/22,199.200.64.0/19,199.212.96.0/20,199.223.0.0/20,199.230.64.0/19,199.230.96.0/21,199.233.85.0/24,199.233.96.0/24,199.241.64.0/19,199.244.56.0/21,199.245.138.0/24,199.246.137.0/24,199.246.213.0/24,199.246.215.0/24,199.248.64.0/18] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 25"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400024; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [200.0.60.0/23,200.22.0.0/16,200.71.124.0/22,200.189.44.0/22,201.148.168.0/22,201.169.0.0/16,202.0.192.0/18,202.20.32.0/19,202.21.64.0/19,202.27.96.0/23,202.27.98.0/24,202.27.99.0/24,202.27.100.0/22,202.27.120.0/22,202.27.161.0/24,202.27.162.0/23,202.27.164.0/22,202.27.168.0/24,202.39.112.0/20,202.40.32.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 26"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400025; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [202.183.0.0/19,202.189.80.0/20,203.2.200.0/22,203.9.0.0/19,203.31.88.0/23,203.34.70.0/23,203.34.71.0/24,203.34.252.0/23,203.86.252.0/22,203.169.0.0/22,203.191.64.0/18,203.195.0.0/18,204.19.38.0/23,204.44.32.0/20,204.44.192.0/20,204.44.224.0/20,204.52.96.0/19,204.52.255.0/24,204.57.16.0/20,204.75.147.0/24] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 27"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400026; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [204.106.128.0/18,204.106.192.0/19,204.107.208.0/24,204.126.244.0/23,204.128.151.0/24,204.128.180.0/24,204.130.16.0/20,204.130.167.0/24,204.147.64.0/21,204.194.64.0/21,204.194.184.0/21,204.225.16.0/20,204.225.159.0/24,204.225.210.0/24,204.232.0.0/18,204.238.137.0/24,204.238.170.0/24,204.238.183.0/24,205.137.0.0/20,205.142.104.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 28"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400027; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [205.159.45.0/24,205.159.174.0/24,205.159.180.0/24,205.166.77.0/24,205.166.84.0/24,205.166.130.0/24,205.166.168.0/24,205.166.211.0/24,205.172.176.0/22,205.172.244.0/22,205.175.160.0/19,205.189.71.0/24,205.189.72.0/23,205.203.0.0/19,205.203.224.0/19,205.207.134.0/24,205.210.107.0/24,205.210.139.0/24,205.210.171.0/24,205.210.172.0/22] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 29"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400028; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [205.237.88.0/21,206.41.160.0/19,206.51.29.0/24,206.124.104.0/21,206.130.5.0/24,206.130.188.0/24,206.143.128.0/17,206.195.224.0/19,206.197.28.0/24,206.197.29.0/24,206.197.77.0/24,206.197.165.0/24,206.203.64.0/18,206.209.80.0/20,206.224.160.0/19,206.226.0.0/19,206.226.32.0/19,206.227.64.0/18,207.22.192.0/18,207.32.128.0/19] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 30"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400029; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [207.226.192.0/20,208.93.4.0/22,208.117.88.0/22,208.117.92.0/24,209.51.32.0/20,209.54.160.0/19,209.66.128.0/19,209.95.192.0/19,209.99.128.0/18,209.145.0.0/19,209.182.64.0/19,209.229.0.0/16,209.242.192.0/19,212.60.16.0/22,212.92.127.0/24,216.83.208.0/20,216.137.176.0/20,220.154.0.0/16,221.132.192.0/18,223.0.0.0/15] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 31"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400030; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) alert ip [223.169.0.0/16,223.173.0.0/16,223.254.0.0/16] any -> $HOME_NET any (msg:"ET DROP Spamhaus DROP Listed Traffic Inbound group 32"; reference:url,www.spamhaus.org/drop/drop.lasso; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DROPIP; sid:2400031; rev:2685; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Minor, created_at 2010_12_30, updated_at 2018_12_16;) # # $Id: emerging-dshield.rules $ # Emerging Threats Dshield rules. # # Rules to block Dshield identified Top Attackers (www.dshield.org) # # More information available at www.emergingthreats.net # # Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # alert ip [176.119.4.0/24,176.119.7.0/24,78.128.112.0/24,185.176.26.0/24,196.52.43.0/24,77.72.85.0/24,37.49.225.0/24,185.254.123.0/24,194.55.142.0/24,198.108.67.0/24,185.255.31.0/24,79.124.56.0/24,5.188.206.0/24,31.192.108.0/24,5.188.87.0/24,92.53.90.0/24,109.248.9.0/24,185.211.245.0/24,122.228.19.0/24,37.49.231.0/24] any -> $HOME_NET any (msg:"ET DROP Dshield Block Listed Source group 1"; reference:url,feeds.dshield.org/block.txt; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; flowbits:set,ET.Evil; flowbits:set,ET.DshieldIP; sid:2402000; rev:5035; metadata:affected_product Any, attack_target Any, deployment Perimeter, tag Dshield, signature_severity Major, created_at 2010_12_30, updated_at 2018_12_19;) # Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object IMAP4 Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.IMAP4.6"; distance:0; nocase; content:"LicenseKey"; nocase; reference:url,secunia.com/advisories/24199/; reference:url,doc.emergingthreats.net/2010658; classtype:web-application-attack; sid:2010658; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Head Method Buffer Overflow Attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"ET ACTIVEX SoftCab Sound Converter ActiveX SaveFormat File overwrite Attempt"; flow:established,to_client; content:"66757BFC-DA0C-41E6-B3FE-B6D461223FF5"; nocase; content:"SaveFormat"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*66757BFC-DA0C-41E6-B3FE-B6D461223FF5/si"; reference:url,secunia.com/advisories/37967/; reference:url,doc.emergingthreats.net/2010943; classtype:web-application-attack; sid:2010943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF Viewer ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"BDF3E9D2-5F7A-4F4A-A914-7498C862EA6A"; nocase; distance:0; content:"savePageAsBitmap"; nocase; reference:bugtraq,31984; reference:url,milw0rm.com/exploits/6875; reference:url,doc.emergingthreats.net/2008791; classtype:web-application-attack; sid:2008791; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOVIEPLAYER.MoviePlayerCtrl.1"; nocase; distance:0; content:"DrawText"; nocase; reference:url,www.shinnai.net/exploits/X6hU4E0E7P5H3qH5yXrn.txt; reference:url,secunia.com/advisories/38156/; reference:url,doc.emergingthreats.net/2010944; classtype:attempted-user; sid:2010944; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AVC781Viewer.CV781Object"; nocase; distance:0; pcre:"/(SendCommand|Login|Snapshot|_DownloadPBControl|_DownloadPBClose|_DownloadPBOpen)/i"; reference:url,zeroscience.mk/en/vulnerabilities/ZSL-2010-4934.php; reference:url,exploit-db.com/exploits/12294; reference:url,doc.emergingthreats.net/2011206; classtype:attempted-user; sid:2011206; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"AcroPDFLib.AcroPDF"; distance:0; nocase; content:"src"; nocase; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010705; classtype:attempted-user; sid:2010705; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe browser document ActiveX DoS Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"CA8A9780-280D-11CF-A24D-444553540000"; nocase; distance:0; content:"src"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CA8A9780-280D-11CF-A24D-444553540000/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/acropdf-dos.txt; reference:url,doc.emergingthreats.net/2010726; classtype:attempted-user; sid:2010726; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ask.com Toolbar askBar.dll ActiveX ShortFormat Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"5A074B2B-F830-49DE-A31B-5BB9D7F6B407"; nocase; distance:0; content:"ShortFormat"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A074B2B-F830-49DE-A31B-5BB9D7F6B407/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/ask_shortformat.rb.txt; reference:url,secunia.com/advisories/26960/; reference:url,doc.emergingthreats.net/2010921; classtype:web-application-attack; sid:2010921; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (7)"; flow:to_client,established; content:"clsid"; nocase; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009620; classtype:web-application-attack; sid:2009620; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (8)"; flow:to_client,established; content:"clsid"; nocase; content:"1C15D484-911D-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1C15D484-911D-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009621; classtype:web-application-attack; sid:2009621; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (9)"; flow:to_client,established; content:"clsid"; nocase; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009622; classtype:web-application-attack; sid:2009622; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (10)"; flow:to_client,established; content:"clsid"; nocase; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009623; classtype:web-application-attack; sid:2009623; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (11)"; flow:to_client,established; content:"clsid"; nocase; content:"334125C0-77E5-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*334125C0-77E5-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009624; classtype:web-application-attack; sid:2009624; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (12)"; flow:to_client,established; content:"clsid"; nocase; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B0353C-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009625; classtype:web-application-attack; sid:2009625; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (13)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03543-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009626; classtype:web-application-attack; sid:2009626; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (14)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03544-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009627; classtype:web-application-attack; sid:2009627; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (15)"; flow:to_client,established; content:"clsid"; nocase; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*418008F3-CF67-4668-9628-10DC52BE1D08/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009628; classtype:web-application-attack; sid:2009628; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (16)"; flow:to_client,established; content:"clsid"; nocase; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009629; classtype:web-application-attack; sid:2009629; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (17)"; flow:to_client,established; content:"clsid"; nocase; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009630; classtype:web-application-attack; sid:2009630; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (18)"; flow:to_client,established; content:"clsid"; nocase; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009631; classtype:web-application-attack; sid:2009631; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (19)"; flow:to_client,established; content:"clsid"; nocase; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009632; classtype:web-application-attack; sid:2009632; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (20)"; flow:to_client,established; content:"clsid"; nocase; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*823535A0-0318-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009633; classtype:web-application-attack; sid:2009633; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (21)"; flow:to_client,established; content:"clsid"; nocase; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009634; classtype:web-application-attack; sid:2009634; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (22)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009635; classtype:web-application-attack; sid:2009635; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (23)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009636; classtype:web-application-attack; sid:2009636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (24)"; flow:to_client,established; content:"clsid"; nocase; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CD64701-BDF3-4D14-8E03-F12983D86664/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009638; classtype:web-application-attack; sid:2009638; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (25)"; flow:to_client,established; content:"clsid"; nocase; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009639; classtype:web-application-attack; sid:2009639; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (26)"; flow:to_client,established; content:"clsid"; nocase; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009640; classtype:web-application-attack; sid:2009640; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (27)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009641; classtype:web-application-attack; sid:2009641; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (28)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009642; classtype:web-application-attack; sid:2009642; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"BrowseAndSaveFile"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:url,securitytracker.com/alerts/2009/Nov/1023122.html; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010245; classtype:attempted-user; sid:2010245; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Altirix eXpress NS SC ActiveX Arbitrary Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSPkgDL.1"; nocase; distance:0; content:"DownloadAndInstall"; nocase; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,secunia.com/advisories/36679; reference:url,doc.emergingthreats.net/2010190; classtype:attempted-user; sid:2010190; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOLShare ActiveX AppString method denial of service Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"YGPWz.CAOLMemExpWz"; nocase; distance:0; content:"AppString"; nocase; reference:url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt; reference:url,doc.emergingthreats.net/2010987; classtype:attempted-user; sid:2010987; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AtHocGov IWSAlerts ActiveX Control Buffer Overflow Function Call Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"AtHocGovGSTlBar.GSHelper.1"; nocase; distance:0; content:"CompleteInstallation"; nocase; reference:url,metasploit.com/modules/exploit/windows/browser/athocgov_completeinstallation; reference:url,athoc.com/products/IWSAlerts_overview.aspx; reference:url,doc.emergingthreats.net/2011211; classtype:attempted-user; sid:2011211; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"R2AXCTRLLib.R2winCtrl"; nocase; distance:0; content:"ControlID"; nocase; reference:url,doc.emergingthreats.net/2011130; classtype:attempted-user; sid:2011130; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MPS.StormPlayer.1"; nocase; distance:0; content:"OnBeforeVideoDownload"; nocase; reference:bugtraq,34789; reference:url,doc.emergingthreats.net/2010995; classtype:attempted-user; sid:2010995; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(EnableStartApplication|EnableStartBeforePrint|EnableKeepExistingFiles|EnablePassParameters)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010208; classtype:attempted-user; sid:2010208; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; pcre:"/(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/i"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010209; classtype:attempted-user; sid:2010209; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"SaveBlackIceDEVMODE"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010210; classtype:attempted-user; sid:2010210; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ClearUserSettings"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010211; classtype:attempted-user; sid:2010211; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BlackIceDEVMODECtrl.1"; nocase; distance:0; content:"ControlJob"; nocase; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010212; classtype:attempted-user; sid:2010212; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control BOF Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SdcUser.TgConCtl"; nocase; distance:0; content:"RunCMD"; nocase; reference:url,www.kb.cert.org/vuls/id/602801; reference:bugtraq,40006; reference:url,juniper.net/security/auto/vulnerabilities/vuln40006.html; reference:url,doc.emergingthreats.net/2011213; classtype:attempted-user; sid:2011213; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable SetLogLevel/SetLogFileName Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; distance:0; content:"SetLog"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010036; classtype:attempted-user; sid:2010036; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PDIControl.PDI.1"; nocase; distance:0; content:"WriteToLog"; distance:0; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010154; classtype:web-application-attack; sid:2010154; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EMC Captiva PixTools ActiveX Arbitrary File Creation/Overwrite function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PDIControl.PDI.1"; nocase; distance:0; content:"SetLog"; distance:0; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010155; classtype:web-application-attack; sid:2010155; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX OpenFile method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"FOXITREADEROCXLib.FoxitReaderOCX"; nocase; distance:0; content:"OpenFile "; nocase; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010930; classtype:attempted-user; sid:2010930; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"GOMWEBCTRLLib.GomWeb"; nocase; distance:0; content:"Command"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010368; classtype:web-application-attack; sid:2010368; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYACTIVEX|2E|MyActiveXCtrl|2E|1"; nocase; distance:0; content:"URL"; nocase; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010374; classtype:attempted-user; sid:2010374; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"HyleosChemView.HLChemView"; nocase; distance:0; pcre:"/(ReadMolFile|SaveasMolFile)/i"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010999; classtype:attempted-user; sid:2010999; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"IbmEgath.IbmEgathCtl.1"; distance:0; nocase; content:"GetXMLValue"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010482; classtype:attempted-user; sid:2010482; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call Object"; flow:from_server,established; content:" DirectAnimation.PathControl"; content:".Spline|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003103; classtype:attempted-user; sid:2003103; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's KeyFrame function call Object"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"DirectAnimation.PathControl"; nocase; content:".KeyFrame|28|"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22DirectAnimation\.PathControl\x22|\x27DirectAnimation\.PathControl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28842; reference:cve,2006-4777; reference:url,doc.emergingthreats.net/2003105; classtype:attempted-user; sid:2003105; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"D0C07D56-7C69-43F1-B4A0-25F5A11FAB19"; nocase; reference:url,doc.emergingthreats.net/2003162; classtype:attempted-user; sid:2003162; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VsaIDE.DTE object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"E8CCCDDF-CA28-496b-B050-6C07C962476B"; nocase; reference:url,doc.emergingthreats.net/2003163; classtype:attempted-user; sid:2003163; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Business Object Factory object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"AB9BCEDD-EC7E-47E1-9322-D4A210617116"; nocase; reference:url,doc.emergingthreats.net/2003164; classtype:attempted-user; sid:2003164; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Outlook Data Object object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F033-0000-0000-C000-000000000046"; nocase; reference:url,doc.emergingthreats.net/2003165; classtype:attempted-user; sid:2003165; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Outlook.Application object call CSLID"; flow:from_server,established; content:"CLSID"; nocase; content:"0006F03A-0000-0000-C000-000000000046"; nocase; reference:url,doc.emergingthreats.net/2003166; classtype:attempted-user; sid:2003166; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft Internet Explorer ADODB.Redcordset Double Free Memory Exploit - MS07-009"; flow:from_server,established; content:"CLSID"; nocase; content:"00000535-0000-0010-8000-00AA006D2EA4"; nocase; reference:url,www.milw0rm.com/exploits/3577; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-009.mspx; reference:url,doc.emergingthreats.net/2003514; classtype:attempted-user; sid:2003514; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution"; flow:from_server,established; content:"6E449683-C509-11CF-AAFA-00AA00B6015C"; nocase; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6E449683-C509-11CF-AAFA-00AA00B6015C/si"; reference:url, osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003231; classtype:attempted-user; sid:2003231; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Install Engine Inseng.dll Arbitrary Code Execution (2)"; flow:from_server,established; content:" ASControls.InstallEngineCtl"; content:"BaseUrl"; nocase; content:"SetCifFile"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22ASControls\.InstallEngineCtl\x22|\x27ASControls\.InstallEngineCtl\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/10705; reference:cve,2004-0216; reference:url,doc.emergingthreats.net/2003232; classtype:attempted-user; sid:2003232; rev:59; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution"; flow:from_server,established; content:" Shell.Application"; content:"GetLink"; nocase; pcre:"/new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\)|(\w+)[\r\n\s]*=[\r\n\s]*(\x22Shell\.Application\x22|\x27Shell\.Application\x27)[\r\n\s]*\x3b.*new[\r\n\s]*ActiveXObject[\r\n\s]*\([\r\n\s]*\1[\r\n\s]*\)/smi"; reference:url, osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003233; classtype:attempted-user; sid:2003233; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Microsoft IE Shell.Application ActiveX Arbitrary Command Execution (2)"; flow:from_server,established; content:"13709620-C279-11CE-A49E-444553540000"; nocase; content:"GetLink"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*13709620-C279-11CE-A49E-444553540000/si"; reference:url, osvdb.org/7913; reference:cve,2004-2291; reference:url,doc.emergingthreats.net/2003234; classtype:attempted-user; sid:2003234; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference:url,www.hnc3k.com/ievulnerabil.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2001181; classtype:misc-attack; sid:2001181; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service adsiis.dll activex remote DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"D6BFA35E-89F2-11D0-8527-00C04FD8D503"; distance:0; nocase; content:"GetObject"; nocase; reference:cve,2008-4300; reference:url,securityreason.com/securityalert/4325; reference:url,doc.emergingthreats.net/2008621; classtype:web-application-attack; sid:2008621; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image22 ActiveX DrawIcon Method Buffer Overflow Attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar ImageShackToolbar.dll ActiveX Control Insecure Method Vulnerability"; flow:to_client,established; content:"clsid"; nocase; content:"BDF9442E-9B03-42C2-87BA-2A459B0A5317"; nocase; pcre:"/file\:.*\.(jpg|ini|exe|dll|bat|com|cab|txt)/i"; content:"BuildSlideShow"; reference:url,www.milw0rm.com/exploits/4981; reference:bugtraq,27439; reference:url,doc.emergingthreats.net/2007853; classtype:web-application-attack; sid:2007853; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX IncrediMail IMMenuShellExt ActiveX Control Buffer Overflow Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"F8984111-38B6-11D5-8725-0050DA2761C4"; nocase; distance:0; content:"ImShExt.dll"; nocase; content:"DoWebMenuAction"; nocase; content:"INCREDISHELLEXTLib.IMMenuShellExt"; nocase; content:"String"; nocase; distance:0; pcre:"/[0-9]{3,}/"; reference:url,www.milw0rm.com/exploits/3877; reference:bugtraq,23674; reference:cve,CVE-2007-1683; reference:url,doc.emergingthreats.net/2007931; classtype:web-application-attack; sid:2007931; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"032038A5-B655-11D3-BB7D-0050DA276194"; nocase; distance:0; content:"Authenticate"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*032038A5-B655-11D3-BB7D-0050DA276194/si"; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011048; classtype:attempted-user; sid:2011048; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ISWiAuto15.ISWiSequence"; nocase; distance:0; content:"SaveToFile"; nocase; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010257; classtype:attempted-user; sid:2010257; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Installshiled 2009 premier ActiveX File Overwrite clsid Access"; flow:established,to_client; content:"34E7A6F9-F260-46BD-AAC8-1E70E22139D2"; nocase; content:"SaveToFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*34E7A6F9-F260-46BD-AAC8-1E70E22139D2/si"; reference:url,packetstormsecurity.com/0909-exploits/installshield-overwrite.txt; reference:url,doc.emergingthreats.net/2010258; classtype:web-application-attack; sid:2010258; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX InstanGet v2.08 Activex Control DOS clsid access attempt"; flow:established,to_client; content:"clsid"; nocase; content:"98C92840-EB1C-40BD-B6A5-395EC9CD6510D"; nocase; distance:0; content:"ShowBar"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C92840-EB1C-40BD-B6A5-395EC9CD6510/si"; reference:url,www.packetstormsecurity.org/0909-exploits/instantget-dos.txt; reference:url,doc.emergingthreats.net/2010279; classtype:web-application-attack; sid:2010279; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JamDTA ActiveX Control SaveToFile Arbitrary File Overwrite"; flow:to_client,established; content:"clsid"; nocase; content:"0B8F9DC9-A99C-40AD-BE40-88DDE92BAC41"; nocase; distance:0; content:"SaveToFile"; nocase; reference:bugtraq,33345; reference:url,doc.emergingthreats.net/2009115; classtype:web-application-attack; sid:2009115; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IncrediMail 2.0 Authenticate Method Remote Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"INCREDISPOOLERLib.Pop"; nocase; distance:0; content:"Authenticate"; nocase; reference:url,packetstormsecurity.org/1004-exploits/incredimail20-overflow.txt; reference:url,exploit-db.com/exploits/12030; reference:url,doc.emergingthreats.net/2011049; classtype:attempted-user; sid:2011049; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime Environment ActiveX Control Multiple Remote Buffer Overflow"; flow:to_client,established; content:"clsid"; nocase; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; distance:0; pcre:"/(setInstallerType|setAdditionalPackages|installLatestJRE|compareVersion|installJRE|getStaticCLSID|launch)/i"; reference:url,xforce.iss.net/xforce/xfdb/50508; reference:bugtraq,34931; reference:url,milw0rm.com/exploits/8665; reference:url,doc.emergingthreats.net/2009434; classtype:web-application-attack; sid:2009434; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX JuniperSetup Control Buffer Overflow"; flow:established,from_server; content:"E5F5D008-DD2C-4D32-977D-1A0ADF03058B"; nocase; pcre:"/param[^>]*name\s*=\s*["']?productname["']?[^>]*\s+value\s*=\s*(['"])((?!\1).|\\['"]){200}/Ri"; reference:url,www.eeye.com/html/research/advisories/AD20060424.html; reference:url,doc.emergingthreats.net/2002889; classtype:attempted-user; sid:2002889; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva QuickScan Pro KeyWorks KeyHelp Module keyhelp.ocx ActiveX Control Remote Buffer Overflow Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"B7ECFD41-BE62-11D2-B9A8-00104B138C8C"; nocase; distance:0; content:"KEYHELP"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B7ECFD41-BE62-11D2-B9A8-00104B138C8C/si"; reference:url,www.securityfocus.com/bid/36546/info; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19135; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/36546.html; reference:url,doc.emergingthreats.net/2010012; classtype:attempted-user; sid:2010012; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"00150B1A-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/iR"; content:"SaveSettingsToFile"; distance:0; nocase; reference:url,www.shinnai.altervista.org/xplits/TXT_lyyELAFI8pOPu2p7N6cq.html; reference:bugtraq,28442; reference:cve,CVE-2008-1605; reference:url,doc.emergingthreats.net/2008129; classtype:web-application-attack; sid:2008129; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Liquid XML Studio 2010 OpenFile Method Remote Heap Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E68E401C-7DB0-4F3A-88E1-159882468A79"; nocase; distance:0; content:"OpenFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E68E401C-7DB0-4F3A-88E1-159882468A79/si"; reference:url,exploit-db.com/exploits/11750; reference:url,doc.emergingthreats.net/2011050; classtype:attempted-user; sid:2011050; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Logitech VideoCall ActiveX Start method buffer overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"BF4C7B03-F381-4544-9A33-CB6DAD2A87CD"; nocase; distance:0; content:"Start"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BF4C7B03-F381-4544-9A33-CB6DAD2A87CD/si"; reference:url,osvdb.org/36820; reference:url,www.packetstormsecurity.nl/0911-exploits/logitechvideocall_start.rb.txt; reference:url,www.kb.cert.org/vuls/id/330289; reference:url,doc.emergingthreats.net/2010851; classtype:web-application-attack; sid:2010851; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orca Browser 1.1 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MOZXLib.EmbeddedMoz"; nocase; distance:0; content:"ExecCommand"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010364; classtype:web-application-attack; sid:2010364; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ProgramChecker 1.5 ActiveX Command Execution Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TRATLLib.Options"; nocase; distance:0; content:"Run"; nocase; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010366; classtype:web-application-attack; sid:2010366; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Rising Online Virus Scanner ActiveX Scan Method stack Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"RavOLCtlLib.RavOnline"; nocase; distance:0; content:"Scan"; nocase; reference:url,packetstorm.foofus.com/1002-exploits/risingonline-dos.txt; reference:bugtraq,38282; reference:url,doc.emergingthreats.net/2011021; classtype:attempted-user; sid:2011021; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Buffer Overflow Function call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"VSFlexGrid.VSFlexGridL"; nocase; distance:0; pcre:"/(Text|EditSelText|EditText|CellFontName|Archive)/i"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010467; classtype:web-application-attack; sid:2010467; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Altiris.AeXNSConsoleUtilities"; nocase; distance:0; content:"RunCmd"; nocase; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010370; classtype:attempted-user; sid:2010370; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"cliproxy.objects.1"; nocase; distance:0; content:"SetRemoteComputerName"; nocase; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; reference:url,dsecrg.com/pages/vul/show.php?id=139; reference:cve,2010-0108; reference:url,doc.emergingthreats.net/2010959; classtype:attempted-user; sid:2010959; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX DeleteValue method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"DeleteValue"; nocase; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010835; classtype:attempted-user; sid:2010835; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX WriteValue method Remote Code Execution Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MpComExportsLib.MsMpSimpleConfig"; nocase; distance:0; content:"WriteValue"; nocase; reference:url,www.packetstormsecurity.org/1001-exploits/msdef2-overflow.txt; reference:url,doc.emergingthreats.net/2010837; classtype:attempted-user; sid:2010837; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"RichUploadLib.UploadControl"; nocase; distance:0; content:"RichUploadControlContextData"; nocase; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010703; classtype:attempted-user; sid:2010703; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"APWebGrabber.Object"; nocase; distance:0; content:"GetStatus"; nocase; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010690; classtype:attempted-user; sid:2010690; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL 9.5 ActiveX control Import method Heap Overflow Attempt"; flow:established,to_client; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; content:"Import"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.exploit-db.com/exploits/11204; reference:url,doc.emergingthreats.net/2010977; classtype:attempted-user; sid:2010977; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-1"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"CheckForUpdates"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/210560; classtype:web-application-attack; sid:2010560; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent App Gateway ActiveX Buffer Overflow Function call-2"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"ComponentManager.Installer.1"; distance:0; nocase; content:"UpdateComponents"; nocase; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010561; classtype:web-application-attack; sid:2010561; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Remediation Client Enginecom.Dll ActiveX Code Execution Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Enginecom.imagineLANEngine.1"; nocase; distance:0; content:"DeleteSnapshot"; nocase; reference:url,fgc.fortinet.com/encyclopedia/vulnerability/mcafee.remediation.client.enginecom.dll.activex.access.html; reference:url,doc.emergingthreats.net/2010692; classtype:attempted-user; sid:2010692; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 ActiveX File Creation Function call attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCTAVIFileLib.AVIFileM"; nocase; distance:0; content:"OpenFile"; nocase; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010357; classtype:web-application-attack; sid:2010357; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client Browser Plugin ExecuteRequest debug Parameter Stack Overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"36723f97-7aa0-11d4-8919-ff2d71d0d32c"; nocase; distance:0; content:"ExecuteRequest"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723f97-7aa0-11d4-8919-ff2d71d0d32c/si"; reference:url,www.exploit-db.com/moaub-14-novell-iprint-client-browser-plugin-executerequest-debug-parameter-stack-overflow/; reference:bid,42100; reference:url,doc.emergingthreats.net/2011509; classtype:attempted-user; sid:2011509; rev:2; metadata:created_at 2010_09_28, updated_at 2010_09_28;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime _Marshaled_pUnk Backdoor Param Arbitrary Code Execution Attempt"; flow:established,from_server; content:"clsid"; nocase; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"_Marshaled_pUnk"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02BF25D5-8C17-4B23-BC80-D3488ABDDC6B/si"; reference:url,www.exploit-db.com/exploits/14843/; classtype:attempted-user; sid:2011412; rev:2; metadata:created_at 2010_09_27, updated_at 2010_09_27;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sony ImageStation (SonyISUpload.cab 1.0.0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F56F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/5086; reference:url,www.milw0rm.com/exploits/5100; reference:url,doc.emergingthreats.net/bin/view/Main/2007847; classtype:web-application-attack; sid:2007847; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Java Deployment Toolkit CSLID Command Execution Attempt"; flow:to_client,established; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launch"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA/si"; reference:url,seclists.org/fulldisclosure/2010/Apr/119; reference:url,doc.emergingthreats.net/2011010; classtype:attempted-user; sid:2011010; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; content:"offer-"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:url,www.exploit-db.com/exploits/11172/; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2010665; classtype:attempted-user; sid:2010665; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcom Helper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; content:!"offer-"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+(service-url|banner|noexec|OS|Lang|return-page|core-product|userid|itemid|_c[xy]|sec-param|secparam)/si"; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.exploit-db.com/exploits/11172/; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2011675; classtype:attempted-user; sid:2011675; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (29)"; flow:to_client,established; content:"clsid"; nocase; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009598; classtype:web-application-attack; sid:2009598; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (30)"; flow:to_client,established; content:"clsid"; nocase; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AD8E510D-217F-409B-8076-29C5E73B98E8/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009599; classtype:web-application-attack; sid:2009599; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (31)"; flow:to_client,established; content:"clsid"; nocase; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0EDF163-910A-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009600; classtype:web-application-attack; sid:2009600; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (32)"; flow:to_client,established; content:"clsid"; nocase; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B64016F3-C9A2-4066-96F0-BD9563314726/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009601; classtype:web-application-attack; sid:2009601; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (33)"; flow:to_client,established; content:"clsid"; nocase; content:"BB530C63-D9DF-4B49-9439-63453962E598"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB530C63-D9DF-4B49-9439-63453962E598/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009602; classtype:web-application-attack; sid:2009602; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (34)"; flow:to_client,established; content:"clsid"; nocase; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C531D9FD-9685-4028-8B68-6E1232079F1E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009603; classtype:web-application-attack; sid:2009603; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (35)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCC-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009604; classtype:web-application-attack; sid:2009604; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009606; classtype:web-application-attack; sid:2009606; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; classtype:web-application-attack; sid:2008407; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; classtype:web-application-attack; sid:2008408; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; content:"clsid"; nocase; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html; reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; classtype:web-application-attack; sid:2008409; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (38)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCF-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009607; classtype:web-application-attack; sid:2009607; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (40)"; flow:to_client,established; content:"clsid"; nocase; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009609; classtype:web-application-attack; sid:2009609; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (41)"; flow:to_client,established; content:"clsid"; nocase; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009610; classtype:web-application-attack; sid:2009610; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (42)"; flow:to_client,established; content:"clsid"; nocase; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009611; classtype:web-application-attack; sid:2009611; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (44)"; flow:to_client,established; content:"clsid"; nocase; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FA7C375B-66A7-4280-879D-FD459C84BB02/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009613; classtype:web-application-attack; sid:2009613; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (1)"; flow:to_client,established; content:"clsid"; nocase; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*011B3619-FE63-4814-8A84-15A194CE9CE3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009614; classtype:web-application-attack; sid:2009614; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (2)"; flow:to_client,established; content:"clsid"; nocase; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0149EEDF-D08F-4142-8D73-D23903D21E90/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009615; classtype:web-application-attack; sid:2009615; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (3)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E5-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009616; classtype:web-application-attack; sid:2009616; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (4)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E6-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009617; classtype:web-application-attack; sid:2009617; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (5)"; flow:to_client,established; content:"clsid"; nocase; content:"055CB2D7-2969-45CD-914B-76890722F112"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*055CB2D7-2969-45CD-914B-76890722F112/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009618; classtype:web-application-attack; sid:2009618; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Vulnerable Microsoft Video ActiveX CLSID access (6)"; flow:to_client,established; content:"clsid"; nocase; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15D6504A-5494-499C-886C-973C9E53B9F1/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; reference:url,doc.emergingthreats.net/2009619; classtype:web-application-attack; sid:2009619; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt"; flow:from_server,established; content:"189504B8-50D1-4AA8-B4D6-95C8F58A6414"; nocase; content:"SetSuperBuddy"; nocase; content:"//"; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*189504B8-50D1-4AA8-B4D6-95C8F58A6414/si"; reference:url,www.securityfocus.com/bid/36580/info; reference:url,www.securityfocus.com/archive/1/506889; reference:url,doc.emergingthreats.net/2010039; classtype:attempted-user; sid:2010039; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL IWinAmp ActiveX ConvertFile Buffer Overflow Attempt"; flow:from_server,established; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; content:"ConvertFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6/si"; reference:url,www.milw0rm.org/exploits/8733; reference:url,www.securityfocus.com/bid/35028; reference:url,doc.emergingthreats.net/2010160; classtype:attempted-user; sid:2010160; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL 9.5 BindToFile Heap Overflow Attempt"; flow:established,to_client; content:"BC8A96C6-3909-11D5-9001-00C04F4C3B9F"; nocase; content:"BindToFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC8A96C6-3909-11D5-9001-00C04F4C3B9F/si"; reference:url,tcc.hellcode.net/advisories/hellcode-adv008.txt; reference:url,doc.emergingthreats.net/2010814; classtype:attempted-user; sid:2010814; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL 9.5 Phobos.Playlist Import ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"A105BD70-BF56-4D10-BC91-41C88321F47C"; nocase; content:".Import"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A105BD70-BF56-4D10-BC91-41C88321F47C/si"; reference:url,www.rec-sec.com/2010/01/25/aol-playlist-class-buffer-overflow/; reference:url,doc.emergingthreats.net/2010962; classtype:attempted-user; sid:2010962; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt"; flow:established,from_server; content:"3895DD35-7573-11D2-8FED-00606730D3AA"; nocase; content:"RUN"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3895DD35-7573-11D2-8FED-00606730D3AA/si"; reference:url,securitytracker.com/alerts/2009/Aug/1022752.html; reference:url,www.kb.cert.org/vuls/id/485961; reference:url,www.securityfocus.com/bid/21207/info; reference:url,doc.emergingthreats.net/2009868; classtype:attempted-user; sid:2009868; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Adobe Shockwave Player ActiveX Control Buffer Overflow clsid access"; flow:established,to_client; content:"233C1507-6A77-46A4-9443-F871F945D258"; nocase; content:"PlayerVersion"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*233C1507-6A77-46A4-9443-F871F945D258/si"; reference:url,www.milw0rm.com/exploits/9682; reference:url,doc.emergingthreats.net/2010256; classtype:web-application-attack; sid:2010256; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 2"; flow:to_client,established; content:"2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009688; classtype:web-application-attack; sid:2009688; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 3"; flow:to_client,established; content:"FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009689; classtype:web-application-attack; sid:2009689; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Altiris Deployment Solution AeXNSPkgDLLib.dll ActiveX Control DownloadAndInstall Method Arbitrary Code Execution Attempt"; flow:from_server,established; content:"63716E93-033D-48B0-8A2F-8E8473FD7AC7"; nocase; content:"DownloadAndInstall"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*63716E93-033D-48B0-8A2F-8E8473FD7AC7/si"; reference:url,securitytracker.com/alerts/2009/Sep/1022928.html; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20090922_00; reference:url,trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb?rev=7023; reference:url,doc.emergingthreats.net/2010011; classtype:attempted-user; sid:2010011; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOLShare ActiveX AppString method denial of service Attempt"; flow:established,to_client; content:"18477169-4752-41DC-AB0F-C50EBA75641D"; nocase; content:"Appstring"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18477169-4752-41DC-AB0F-C50EBA75641D/si"; reference:url,packetstorm.foofus.com/1001-exploits/aolactivex-dos.txt; reference:url,doc.emergingthreats.net/2010986; classtype:attempted-user; sid:2010986; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Attachmate Reflection X ActiveX Control 'ControlID' Buffer Overflow Attempt"; flow:established,to_client; content:"15B168B2-AD3C-11D1-A8D8-00A0C9200E61"; nocase; content:"ControlID"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15B168B2-AD3C-11D1-A8D8-00A0C9200E61/si"; reference:url,doc.emergingthreats.net/2011129; classtype:attempted-user; sid:2011129; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Autodesk Design Review DWF Viewer ActiveX Control SaveAs Insecure Method"; flow:to_client,established; content:"A662DA7E-CCB7-4743-B71A-D817F6D575DF"; nocase; content:"SaveAS"; nocase; reference:url,retrogod.altervista.org/9sg_autodesk_revit_arch_2009_exploit.html; reference:url,secunia.com/Advisories/31989/; reference:url,doc.emergingthreats.net/2008612; classtype:web-application-attack; sid:2008612; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Autodesk IDrop Indicator ActiveX Control Memory Corruption"; flow:to_client,established; content:"21E0CB95-1198-4945-A3D2-4BF804295F78"; nocase; pcre:"/(Src|Background|PackageXml)/i"; reference:url,secunia.com/advisories/34563/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2009-04/0020.html; reference:url,vupen.com/english/advisories/2009/0942; reference:url,milw0rm.com/exploits/8560; reference:url,doc.emergingthreats.net/2009399; classtype:web-application-attack; sid:2009399; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avax Vector avPreview.ocx ActiveX Control Buffer Overflow"; flow:to_client,established; content:"9589AEC9-1C2D-4428-B7E8-63B39D356F9C"; nocase; content:"PrinterName"; nocase; reference:url,packetstormsecurity.nl/0907-exploits/avax13-dos.txt; reference:bugtraq,35582; reference:url,juniper.net/security/auto/vulnerabilities/vuln35583.html; reference:url,doc.emergingthreats.net/2009792; classtype:web-application-attack; sid:2009792; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Awingsoft Web3D Player Remote Buffer Overflow"; flow:to_client,established; content:"17A54E7D-A9D4-11D8-9552-00E04CB09903"; nocase; content:"SceneURL"; nocase; reference:url,secunia.com/advisories/35764/; reference:url,milw0rm.com/exploits/9116; reference:url,shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html; reference:url,doc.emergingthreats.net/2009857; classtype:web-application-attack; sid:2009857; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm ActiveX Control OnBeforeVideoDownload Method Buffer Overflow"; flow:to_client,established; content:"6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"; nocase; content:"OnBeforeVideoDownload"; nocase; reference:bugtraq,34789; reference:url,milw0rm.com/exploits/8579; reference:url,doc.emergingthreats.net/2009425; classtype:web-application-attack; sid:2009425; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX BaoFeng Storm ActiveX Control SetAttributeValue Method Buffer Overflow"; flow:to_client,established; content:"BD103B2B-30FB-4F1E-8C17-D8F6AADBCC05"; nocase; content:"SetAttributeValue"; nocase; reference:bugtraq,34869; reference:url,juniper.net/security/auto/vulnerabilities/vuln34869.html; reference:url,vupen.com/english/advisories/2009/1392; reference:url,milw0rm.com/exploits/8757; reference:url,doc.emergingthreats.net/2009657; classtype:web-application-attack; sid:2009657; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control EnableStartApplication/EnableStartBeforePrint/EnableKeepExistingFiles/EnablePassParameters Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"Enable"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(EnableKeepExistingFiles|EnableStartApplication|EnableStartBeforePrint|EnablePassParameters)/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010203; classtype:attempted-user; sid:2010203; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SetApplicationPath/SetStartApplicationParamCode/SetCustomStartAppParameter Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"Set"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5\s*(SetApplicationPath|SetStartApplicationParamCode|SetCustomStartAppParameter)/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010204; classtype:attempted-user; sid:2010204; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control SaveBlackIceDEVMODE Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"SaveBlackIceDEVMODE"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010205; classtype:attempted-user; sid:2010205; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ClearUserSettings Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"ClearUserSettings"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010206; classtype:attempted-user; sid:2010206; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Black Ice Printer Driver Resource Toolkit ActiveX Control ControlJob Buffer Overflow Attempt"; flow:from_server,established; content:"1503569A-0AE2-4333-B6E6-466AB0BC73E5"; nocase; content:"ControlJob"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1503569A-0AE2-4333-B6E6-466AB0BC73E5/si"; reference:url,www.securityfocus.com/bid/36548; reference:url,doc.emergingthreats.net/2010207; classtype:attempted-user; sid:2010207; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Charm Real Converter pro 6.6 Activex Control DOS clsid access attempt"; flow:established,to_client; content:"F4F647AD-B160-11D2-A3EF-00104BDF4755"; nocase; content:"GetCodecModulus"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4F647AD-B160-11D2-A3EF-00104BDF4755/si"; reference:url,www.packetstormsecurity.org/0909-exploits/charmrc-dos.txt; reference:url,doc.emergingthreats.net/2010280; classtype:web-application-attack; sid:2010280; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ChilkatHttp ActiveX 2.3 Arbitrary Files Overwrite"; flow:to_client,established; content:"B973393F-27C7-4781-877D-8626AAEDF119"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/Ri"; content:"SaveLastError"; nocase; reference:bugtraq,28546; reference:url,www.milw0rm.com/exploits/5338; reference:url,doc.emergingthreats.net/2008099; classtype:web-application-attack; sid:2008099; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Chilkat IMAP ActiveX File Execution and IE DoS"; flow:to_client,established; content:"126FB030-1E9E-4517-A254-430616582C50"; nocase; content:"LoadXmlEmail"; nocase; reference:url,www.milw0rm.com/exploits/6600; reference:url,doc.emergingthreats.net/2008607; classtype:web-application-attack; sid:2008607; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Component WriteFile Insecure Method"; flow:to_client,established; content:"3352B5B9-82E8-4FFD-9EB1-1A3E60056904"; nocase; content:"WriteFile"; nocase; reference:url,secunia.com/Advisories/32513/; reference:url,milw0rm.com/exploits/6963; reference:url,doc.emergingthreats.net/2008814; classtype:web-application-attack; sid:2008814; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Socket ACTIVEX Remote Arbitrary File Creation"; flow:to_client,established; content:"474FCCCD-1B89-4D34-9E09-45807F23289C"; nocase; content:"SaveLastError"; nocase; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7142; reference:url,doc.emergingthreats.net/2008870; classtype:web-application-attack; sid:2008870; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Socket Activex Remote Arbitrary File Overwrite 1"; flow:to_client,established; content:"3B598BD0-AF50-48C6-B6A5-63261A48B054"; nocase; content:"SaveLastError"; nocase; reference:bugtraq,32333; reference:url,milw0rm.com/exploits/7594; reference:url,doc.emergingthreats.net/2009046; classtype:web-application-attack; sid:2009046; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Chinagames ActiveX Control CreateChinagames Method Buffer Overflow"; flow:to_client,established; content:"75108B29-202F-493C-86C5-1C182A485C4C"; nocase; content:"CreateChinagames"; nocase; reference:bugtraq,34871; reference:url,milw0rm.com/exploits/8758; reference:url,doc.emergingthreats.net/2009500; classtype:web-application-attack; sid:2009500; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Ciansoft PDFBuilderX Control ActiveX Arbitrary File Overwrite"; flow:to_client,established; content:"00E7C7F8-71E2-498A-AB28-A3D72FC74485"; nocase; content:"SaveToFile"; nocase; reference:bugtraq,33233; reference:url,milw0rm.com/exploits/7794; reference:url,doc.emergingthreats.net/2009064; classtype:web-application-attack; sid:2009064; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Citrix Presentation Server Client WFICA.OCX ActiveX Component Heap Buffer Overflow Exploit"; flow:established,to_client; content:"0x40000"; content:"SendChannelData"; nocase; content:"238F6F83-B8B4-11CF-8771-00A024541EE3"; nocase; reference:url,www.milw0rm.com/exploits/5106; reference:bugtraq,21458; reference:cve,CVE-2006-6334; reference:url,doc.emergingthreats.net/bin/view/Main/2007851; classtype:web-application-attack; sid:2007851; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ComponentOne VSFlexGrid ActiveX Control Archive Method Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET ACTIVEX Consona Products SdcUser.TgConCtl ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:" $HOME_NET any (msg:"ET ACTIVEX Data Dynamics ActiveBar ActiveX Control (Actbar3.ocx 3.2) Multiple Insecure Methods"; flow:to_client,established; content:"5407153D-022F-4CD2-8BFF-465569BC5DB8"; nocase; pcre:"/.*\.(ini|exe|dll|bat|com|cab|txt)/i"; pcre:"/(Save|SaveLayoutChanges|SaveMenuUsageData)/i"; reference:bugtraq,24959; reference:cve,CVE-2007-3883; reference:url,www.exploit-db.com/exploits/5395/; reference:url,doc.emergingthreats.net/2008127; classtype:web-application-attack; sid:2008127; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX D-Link MPEG4 SHM (Audio) Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C"; nocase; content:"0x40000"; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007905; classtype:web-application-attack; sid:2007905; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EDraw Flowchart ActiveX Control OpenDocument Method Remote Code Execution Attempt"; flow:to_client,established; content:"F685AFD8-A5CC-410E-98E4-BAA1C559BA61"; nocase; content:"OpenDocument"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F685AFD8-A5CC-410E-98E4-BAA1C559BA61/si"; reference:url,doc.emergingthreats.net/2011055; classtype:attempted-user; sid:2011055; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible EMC Captiva PixTools Distributed Imaging ActiveX Control Vulnerable WriteToLog Method Arbitrary File Creation/Overwrite Attempt"; flow:established,from_server; content:"00200338-3D33-4FFC-AC20-67AA234325F3"; nocase; content:"WriteToLog"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00200338-3D33-4FFC-AC20-67AA234325F3/si"; reference:url,www.securityfocus.com/bid/36566/info; reference:url,www.shinnai.net/xplits/TXT_17zVMhRhsRE6qC6DAj52.html; reference:url,doc.emergingthreats.net/2010035; classtype:attempted-user; sid:2010035; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Objects emmailstore.dll ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"5B8BE023-76A2-4F6D-8993-F7E588D79D98"; nocase; content:"0x400000"; nocase; content:"CreateStore"; nocase; reference:bugtraq,32722; reference:url,milw0rm.com/exploits/7402; reference:url,doc.emergingthreats.net/2008963; classtype:web-application-attack; sid:2008963; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quiksoft EasyMail imap connect() ActiveX stack overflow vulnerability"; flow:from_server,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; reference:url,www.milw0rm.com/exploits/9704; reference:url,www.securityfocus.com/bid/22583; reference:url,doc.emergingthreats.net/2009948; classtype:attempted-user; sid:2009948; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Quicksoft ActiveX Control Remote code excution clsid access attempt"; flow:to_client,established; content:"0CEA3FB1-7F88-4803-AA8E-AD021566955D"; nocase; content:"LicenseKey"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0CEA3FB1-7F88-4803-AA8E-AD021566955D/si"; reference:url,milw0rm.com/exploits/9684; reference:url,doc.emergingthreats.net/2010253; classtype:web-application-attack; sid:2010253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail ActiveX AddAttachment method Remote code excution clsid access attempt"; flow:established,to_client; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; content:"AddAttachment"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:url,www.milw0rm.com/exploits/9705; reference:url,doc.emergingthreats.net/2010278; classtype:web-application-attack; sid:2010278; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Quicksoft ActiveX CreateStore method Remote code excution clsid access"; flow:established,to_client; content:"18A76B9A-45C1-11D3-80DC-00C04F6B92D0"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*18A76B9A-45C1-11D3-80DC-00C04F6B92D0/si"; content:"CreateStore"; nocase; reference:url,www.milw0rm.com/exploits/9685; reference:url,doc.emergingthreats.net/2010277; classtype:web-application-attack; sid:2010277; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; content:"DoSaveFile"; nocase; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009102; classtype:web-application-attack; sid:2009102; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Easy Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DD44C0EA-B2CF-31D1-8DD3-444553540000"; nocase; content:"DoSaveFile"; nocase; reference:bugtraq,33272; reference:url,doc.emergingthreats.net/2009063; classtype:web-application-attack; sid:2009063; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (1)"; flow:from_server,established; content:"4C39376E-FA9D-4349-BACC-D305C1750EF3"; nocase; content:"PictureUrls"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4C39376E-FA9D-4349-BACC-D305C1750EF3/si"; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009402; classtype:attempted-user; sid:2009402; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (2)"; flow:from_server,established; content:"C3EB1670-84E0-4EDA-B570-0B51AAE81679"; nocase; content:"PictureUrls"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C3EB1670-84E0-4EDA-B570-0B51AAE81679/si"; reference:url,www.kb.cert.org/vuls/id/983731; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,pages.ebay.com/securitycenter/activex/index.html; reference:url,doc.emergingthreats.net/2009403; classtype:attempted-user; sid:2009403; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow"; flow:to_client,established; content:"7E864D3E-3E6A-48F0-88AF-CEAEE322F9FD"; nocase; content:"RemoteAddress"; nocase; reference:bugtraq,32814; reference:url,www.milw0rm.com/exploits/7460; reference:url,doc.emergingthreats.net/2008999; classtype:web-application-attack; sid:2008999; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP ActiveX DeleteFile Arbitrary File Deletion"; flow:to_client,established; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; content:"DeleteFile"; nocase; reference:bugtraq,33842; reference:url,xforce.iss.net/xforce/xfdb/48837; reference:url,doc.emergingthreats.net/2009184; classtype:web-application-attack; sid:2009184; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP ActiveX Control GetFromURL Method Buffer Overflow Attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"ET ACTIVEX FlexCell Grid ActiveX Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"2A7D9CCE-211A-4654-9449-718F71ED9644"; nocase; pcre:"/(SaveFile|ExportToXML)/i"; reference:url,www.milw0rm.com/exploits/7868; reference:bugtraq,33453; reference:url,doc.emergingthreats.net/2009120; classtype:web-application-attack; sid:2009120; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Foxit Reader ActiveX control OpenFile method Heap Overflow Attempt"; flow:established,to_client; content:"05563215-225C-45EB-BB34-AFA47217B1DE"; nocase; content:"OpenFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*05563215-225C-45EB-BB34-AFA47217B1DE/si"; reference:url,www.exploit-db.com/exploits/11196; reference:url,doc.emergingthreats.net/2010929; classtype:attempted-user; sid:2010929; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gateway Weblaunch2.ocx ActiveX Control Insecure Method Exploit"; flow:to_client,established; content:"0x40000"; content:"DoWebLaunch"; content:"97BB6657-DC7F-4489-9067-51FAB9D8857E"; nocase; reference:url,www.milw0rm.com/exploits/4982; reference:bugtraq,27193; reference:url,doc.emergingthreats.net/2007852; classtype:web-application-attack; sid:2007852; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX GdPicture Pro ActiveX control SaveAsPDF Insecure Method"; flow:to_client,established; content:"E8512363-3581-42EF-A43D-990E7935C8BE"; nocase; content:"SaveAsPDF"; nocase; reference:url,secunia.com/Advisories/31966/; reference:url,milw0rm.com/exploits/6638; reference:url,doc.emergingthreats.net/2008613; classtype:web-application-attack; sid:2008613; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveAudio ActiveX Control Remote Code Execution"; flow:to_client,established; content:"814A3C52-B6F7-4AEA-A9BC-7849B9B0ECA8"; nocase; content:"GetAudioPlayingTime"; nocase; reference:bugtraq,34115; reference:url,milw0rm.com/exploits/8206; reference:url,doc.emergingthreats.net/2009328; classtype:web-application-attack; sid:2009328; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v8200 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"8D58D690-6B71-4ee8-85AD-006DB0287BF1"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009160; classtype:web-application-attack; sid:2009160; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v7000 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"DA8484DE-52DB-4860-A986-61A8682E298A"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009161; classtype:web-application-attack; sid:2009161; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX GeoVision LiveX_v8120 ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"F4421170-DB22-4551-BBFB-FFCFFB419F6F"; nocase; pcre:"/(SnapShotToFile|SnapShotX)/i"; reference:url,xforce.iss.net/xforce/xfdb/48773; reference:url,milw0rm.com/exploits/8059; reference:url,doc.emergingthreats.net/2009162; classtype:web-application-attack; sid:2009162; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gom Player V 2.1.16 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; content:"Command"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; reference:url,www.packetstormsecurity.org/0909-exploits/gomplayer-exec.txt; reference:url,doc.emergingthreats.net/2010367; classtype:web-application-attack; sid:2010367; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Gracenote CDDBControl ActiveX Control ViewProfile Method Heap Buffer Overflow Attempt"; flow:established,to_client; content:"B69003B3-C55E-4B48-836C-BC5946FC3B28"; nocase; content:"ViewProfile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B69003B3-C55E-4B48-836C-BC5946FC3B28/si"; reference:url,www.securityfocus.com/bid/37834; reference:url,doc.emergingthreats.net/2010760; classtype:attempted-user; sid:2010760; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP LoadRunner XUpload.ocx ActiveX Control MakeHttpRequest Arbitrary File Download Attempt"; flow:from_server,established; content:"E87F6C8E-16C0-11D3-BEF7-009027438003"; nocase; content:"XUPLOAD"; nocase; content:"MakeHttpRequest"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E87F6C8E-16C0-11D3-BEF7-009027438003/si"; reference:url,www.securityfocus.com/bid/36550/info; reference:url,doc.emergingthreats.net/2010010; classtype:attempted-user; sid:2010010; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX DisplayName method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"DisplayName"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010611; classtype:web-application-attack; sid:2010611; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX AddGroup method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"AddGroup"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010612; classtype:web-application-attack; sid:2010612; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX InstallComponent method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"InstallComponent"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010613; classtype:web-application-attack; sid:2010613; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Openview NNM ActiveX Subscribe method Memory corruption Attempt"; flow:established,to_client; content:"A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE"; nocase; content:"Subscribe"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A801FD2B-6FA8-11D0-BB85-00AA00A7EAAE/si"; reference:url,www.securityfocus.com/archive/1/507948; reference:url,doc.emergingthreats.net/2010614; classtype:web-application-attack; sid:2010614; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -1"; flow:established,to_client; content:"98C53984-8BF8-4D11-9B1C-C324FCA9CADE"; nocase; content:"ProgColor"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*98C53984-8BF8-4D11-9B1C-C324FCA9CADE/si"; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010778; classtype:attempted-user; sid:2010778; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Mercury Quality Center ActiveX ProgColor Buffer Overflow Attempt -2"; flow:established,to_client; content:"CDBD9968-7BF1-11D4-9D36-0001029DEBEB"; nocase; content:"ProgColor"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CDBD9968-7BF1-11D4-9D36-0001029DEBEB/si"; reference:url,secunia.com/advisories/24692/; reference:url,www.packetstormsecurity.nl/0911-exploits/hpmqc_progcolor.rb.txt; reference:url,www.kb.cert.org/vuls/id/589097; reference:url,doc.emergingthreats.net/2010779; classtype:attempted-user; sid:2010779; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Operations Manager SourceView ActiveX LoadFile/SaveFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"366C9C52-C402-416B-862D-1464F629CA59"; nocase; content:"File"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*366C9C52-C402-416B-862D-1464F629CA59.+(LoadFile|SaveFile)/si"; reference:url,packetstormsecurity.org/1004-exploits/CORELAN-10-027.txt; reference:url,secunia.com/advisories/39538/; reference:url,doc.emergingthreats.net/2011075; classtype:attempted-user; sid:2011075; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Virtual Rooms Control Clsid Access"; flow:from_server,established; content:"00000032-9593-4264-8B29-930B3E4EDCCD"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000032-9593-4264-8B29-930B3E4EDCCD/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01678405; reference:url,doc.emergingthreats.net/2009404; classtype:attempted-user; sid:2009404; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Haihaisoft Universal Player ActiveX Control URL Property Buffer Overflow Attempt"; flow:established,to_client; content:"1A01FF01-EA62-4702-B837-1E07158145FA"; nocase; content:"URL"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1A01FF01-EA62-4702-B837-1E07158145FA/si"; reference:url,www.shinnai.net/exploits/ZzLsi6TIfSuVPh1kPHmP.txt; reference:url,www.securityfocus.com/bid/37151/info; reference:url,doc.emergingthreats.net/2010373; classtype:attempted-user; sid:2010373; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hummingbird Deployment Wizard 2008 ActiveX Insecure Methods"; flow:to_client,established; content:"7F9B30F1-5129-4F5C-A76C-CE264A6C7D10"; nocase; pcre:"/(Run|SetRegistryValueAsString|PerformUpdateAsync)/i"; reference:url,secunia.com/Advisories/32337/; reference:url,doc.emergingthreats.net/2008678; classtype:web-application-attack; sid:2008678; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control SaveasMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; content:"SaveasMolFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010997; classtype:attempted-user; sid:2010997; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Hyleos ChemView ActiveX Control ReadMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C372350A-1D5A-44DC-A759-767FC553D96C"; nocase; content:"ReadMolFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C372350A-1D5A-44DC-A759-767FC553D96C/si"; reference:url,www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf; reference:url,secunia.com/advisories/38523/; reference:url,doc.emergingthreats.net/2010998; classtype:attempted-user; sid:2010998; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX IAS Helper COM Component iashlpr.dll activex remote DOS"; flow:to_client,established; content:"6BC096BC-0CE6-11D1-BAAE-00C04FC2E20D"; nocase; content:"PutProperty"; nocase; reference:url,www.securityfocus.com/archive/1/archive/1/496695/100/0/threaded; reference:cve,2008-2639; reference:url,securityreason.com/securityalert/4323; reference:url,doc.emergingthreats.net/2008618; classtype:web-application-attack; sid:2008618; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IBM Access Support ActiveX GetXMLValue Stack Overflow Attempt"; flow:established,to_client; content:"74FFE28D-2378-11D5-990C-006094235084"; nocase; content:"GetXMLValue"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*74FFE28D-2378-11D5-990C-006094235084/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ibmegath_getxmlvalue.rb; reference:url,www.kb.cert.org/vuls/id/340420; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=17871; reference:cve,2009-0215; reference:url,doc.emergingthreats.net/2010483; classtype:attempted-user; sid:2010483; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Multimedia Controls - ActiveX control's spline function call CLSID"; flow:from_server,established; content:"D7A7D7C3-D47F-11D0-89D3-00A0C90833E6"; nocase; content:".Spline|28|"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D7A7D7C3-D47F-11D0-89D3-00A0C90833E6/si"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=28841; reference:cve,2006-4446; reference:url,doc.emergingthreats.net/2003102; classtype:attempted-user; sid:2003102; rev:12; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID"; flow:from_server,established; content:"7F5B7F63-F06F-4331-8A26-339E03C0AE3D"; nocase; reference:url,www.securityfocus.com/bid/20843; reference:url,secunia.com/advisories/22603; reference:cve,2006-4704; reference:url,www.microsoft.com/technet/security/bulletin/ms06-073.mspx; reference:url,doc.emergingthreats.net/2003158; classtype:attempted-user; sid:2003158; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VsmIDE.DTE object call CSLID"; flow:from_server,established; content:"06723E09-F4C2-43c8-8358-09FCD1DB0766"; nocase; reference:url,doc.emergingthreats.net/2003159; classtype:attempted-user; sid:2003159; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID"; flow:from_server,established; content:"639F725F-1B2D-4831-A9FD-874847682010"; nocase; reference:url,doc.emergingthreats.net/2003160; classtype:attempted-user; sid:2003160; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID"; flow:from_server,established; content:"BA018599-1DB3-44f9-83B4-461454C84BF8"; nocase; reference:url,doc.emergingthreats.net/2003161; classtype:attempted-user; sid:2003161; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt"; flow:established,to_client; content:"B4DC8DD9-2CC1-4081-9B2B-20D7030234EF"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B4DC8DD9-2CC1-4081-9B2B-20D7030234EF/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2002971; classtype:attempted-user; sid:2002971; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt"; flow:established,to_client; content:"C63344D8-70D3-4032-9B32-7A3CAD5091A5"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C63344D8-70D3-4032-9B32-7A3CAD5091A5/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010263; classtype:attempted-user; sid:2010263; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt"; flow:established,to_client; content:"353359C1-39E1-491b-9951-464FD8AB071C"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*353359C1-39E1-491b-9951-464FD8AB071C/si"; reference:cve,2006-1303; reference:bugtraq,18328; reference:url,www.microsoft.com/technet/security/bulletin/ms06-021.mspx; reference:url,doc.emergingthreats.net/2010264; classtype:attempted-user; sid:2010264; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 1 Access Attempt"; flow:established,to_client; content:"5DFB2651-9668-11D0-B17B-00C04FC2A0CA"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5DFB2651-9668-11D0-B17B-00C04FC2A0CA/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010292; classtype:attempted-user; sid:2010292; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 2 Access Attempt"; flow:established,to_client; content:"39A2C2A6-4778-11D2-9BDB-204C4F4F5020"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*39A2C2A6-4778-11D2-9BDB-204C4F4F5020/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010293; classtype:attempted-user; sid:2010293; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 3 Access Attempt"; flow:established,to_client; content:"3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3DA2AA3E-3D96-11D2-9BD2-204C4F4F5020/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010294; classtype:attempted-user; sid:2010294; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 4 Access Attempt"; flow:established,to_client; content:"E8C31D11-6FD2-4659-AD75-155FA143F42B"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E8C31D11-6FD2-4659-AD75-155FA143F42B/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010295; classtype:attempted-user; sid:2010295; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 5 Access Attempt"; flow:established,to_client; content:"44C79591-D0DE-49C4-BA3C-A45AB7003356"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44C79591-D0DE-49C4-BA3C-A45AB7003356/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010296; classtype:attempted-user; sid:2010296; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 6 Access Attempt"; flow:established,to_client; content:"1B544C24-FD0B-11CE-8C63-00AA0044B520"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1B544C24-FD0B-11CE-8C63-00AA0044B520/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010297; classtype:attempted-user; sid:2010297; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 7 Access Attempt"; flow:established,to_client; content:"1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1CB1623E-BBEC-4E8D-B2DF-DC08C6F4627C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010298; classtype:attempted-user; sid:2010298; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 8 Access Attempt"; flow:established,to_client; content:"2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010299; classtype:attempted-user; sid:2010299; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 9 Access Attempt"; flow:established,to_client; content:"31087270-D348-432C-899E-2D2F38FF29A0"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31087270-D348-432C-899E-2D2F38FF29A0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010300; classtype:attempted-user; sid:2010300; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 10 Access Attempt"; flow:established,to_client; content:"41D2B841-7692-4C83-AFD3-F60E845341AF"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*41D2B841-7692-4C83-AFD3-F60E845341AF/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010301; classtype:attempted-user; sid:2010301; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 11 Access Attempt"; flow:established,to_client; content:"2EA10031-0033-450E-8072-E27D9E768142"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2EA10031-0033-450E-8072-E27D9E768142/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010302; classtype:attempted-user; sid:2010302; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 12 Access Attempt"; flow:established,to_client; content:"4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010303; classtype:attempted-user; sid:2010303; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 13 Access Attempt"; flow:established,to_client; content:"C0D076C5-E4C6-4561-8BF4-80DA8DB819D7"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0D076C5-E4C6-4561-8BF4-80DA8DB819D7/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010304; classtype:attempted-user; sid:2010304; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 14 Access Attempt"; flow:established,to_client; content:"4F3E50BD-A9D7-4721-B0E1-00CB42A0A747"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4F3E50BD-A9D7-4721-B0E1-00CB42A0A747/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010305; classtype:attempted-user; sid:2010305; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 15 Access Attempt"; flow:established,to_client; content:"586FB486-5560-4FF3-96DF-1118C96AF456"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*586FB486-5560-4FF3-96DF-1118C96AF456/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010306; classtype:attempted-user; sid:2010306; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 16 Access Attempt"; flow:established,to_client; content:"5B4B05EB-1F63-446B-AAD1-E10A34D650E0"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5B4B05EB-1F63-446B-AAD1-E10A34D650E0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010307; classtype:attempted-user; sid:2010307; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 17 Access Attempt"; flow:established,to_client; content:"679E132F-561B-42F8-846C-A70DBDC62999"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*679E132F-561B-42F8-846C-A70DBDC62999/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010308; classtype:attempted-user; sid:2010308; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 18 Access Attempt"; flow:established,to_client; content:"6C68955E-F965-4249-8E18-F0977B1D2899"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6C68955E-F965-4249-8E18-F0977B1D2899/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010309; classtype:attempted-user; sid:2010309; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 19 Access Attempt"; flow:established,to_client; content:"7F1232EE-44D7-4494-AB8B-CC61B10E21A5"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F1232EE-44D7-4494-AB8B-CC61B10E21A5/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010310; classtype:attempted-user; sid:2010310; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 20 Access Attempt"; flow:established,to_client; content:"92883667-E95C-443D-AC96-4CACA27BEB6E"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*92883667-E95C-443D-AC96-4CACA27BEB6E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010311; classtype:attempted-user; sid:2010311; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 22 Access Attempt"; flow:established,to_client; content:"A2EDA89A-0966-4B91-9C18-AB69F098187F"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2EDA89A-0966-4B91-9C18-AB69F098187F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010313; classtype:attempted-user; sid:2010313; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 23 Access Attempt"; flow:established,to_client; content:"C44C65C7-FDF1-453D-89A5-BCC28F5D69F9"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C44C65C7-FDF1-453D-89A5-BCC28F5D69F9/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010314; classtype:attempted-user; sid:2010314; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 24 Access Attempt"; flow:established,to_client; content:"C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6CB1FE3-B05E-4F0E-818F-C83ED5A0332F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010315; classtype:attempted-user; sid:2010315; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 25 Access Attempt"; flow:established,to_client; content:"AECF5D2E-7A18-4DD2-BDCD-29B6F615B448"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AECF5D2E-7A18-4DD2-BDCD-29B6F615B448/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010316; classtype:attempted-user; sid:2010316; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 26 Access Attempt"; flow:established,to_client; content:"BC0D69A8-0923-4EEE-9375-9239F5A38B92"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BC0D69A8-0923-4EEE-9375-9239F5A38B92/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010317; classtype:attempted-user; sid:2010317; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 27 Access Attempt"; flow:established,to_client; content:"C8F209F8-480E-454C-94A4-5392D88EBA0F"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C8F209F8-480E-454C-94A4-5392D88EBA0F/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010318; classtype:attempted-user; sid:2010318; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 28 Access Attempt"; flow:established,to_client; content:"CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010319; classtype:attempted-user; sid:2010319; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 29 Access Attempt"; flow:established,to_client; content:"CFFB1FC7-270D-4986-B299-FECF3F0E42DB"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFFB1FC7-270D-4986-B299-FECF3F0E42DB/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010320; classtype:attempted-user; sid:2010320; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 30 Access Attempt"; flow:established,to_client; content:"E188F7A3-A04E-413E-99D1-D79A45F70305"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E188F7A3-A04E-413E-99D1-D79A45F70305/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010321; classtype:attempted-user; sid:2010321; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 31 Access Attempt"; flow:established,to_client; content:"E476CBFF-E229-4524-B6B7-228A3129D1C7"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E476CBFF-E229-4524-B6B7-228A3129D1C7/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010322; classtype:attempted-user; sid:2010322; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 32 Access Attempt"; flow:established,to_client; content:"EF105BC3-C064-45F1-AD53-6D8A8578D01B"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EF105BC3-C064-45F1-AD53-6D8A8578D01B/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010323; classtype:attempted-user; sid:2010323; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 33 Access Attempt"; flow:established,to_client; content:"EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010324; classtype:attempted-user; sid:2010324; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 34 Access Attempt"; flow:established,to_client; content:"F44BB2D0-F070-463E-9433-B0CCF3CFD627"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F44BB2D0-F070-463E-9433-B0CCF3CFD627/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010325; classtype:attempted-user; sid:2010325; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 35 Access Attempt"; flow:established,to_client; content:"5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5A20FD6F-F8FE-4a22-9EE7-307D72D09E6E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010326; classtype:attempted-user; sid:2010326; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 36 Access Attempt"; flow:established,to_client; content:"ADEADEB8-E54B-11d1-9A72-0000F875EADE"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*ADEADEB8-E54B-11d1-9A72-0000F875EADE/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010327; classtype:attempted-user; sid:2010327; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 37 Access Attempt"; flow:established,to_client; content:"EC85D8F1-1C4E-46e4-A748-7AA04E7C0496"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*EC85D8F1-1C4E-46e4-A748-7AA04E7C0496/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010328; classtype:attempted-user; sid:2010328; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 38 Access Attempt"; flow:established,to_client; content:"A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2D4529E-84E0-4550-A2E0-C25D7C5CC0D0/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010329; classtype:attempted-user; sid:2010329; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 39 Access Attempt"; flow:established,to_client; content:"E673DCF2-C316-4c6f-AA96-4E4DC6DC291E"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E673DCF2-C316-4c6f-AA96-4E4DC6DC291E/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010330; classtype:attempted-user; sid:2010330; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 40 Access Attempt"; flow:established,to_client; content:"D74CA70F-2236-4BA8-A297-4B2A28C2363C"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D74CA70F-2236-4BA8-A297-4B2A28C2363C/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010331; classtype:attempted-user; sid:2010331; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 41 Access Attempt"; flow:established,to_client; content:"01002B17-5D93-4551-81E4-831FEF780A53"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*01002B17-5D93-4551-81E4-831FEF780A53/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010332; classtype:attempted-user; sid:2010332; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Communications Control Clsid Access"; flow:from_server,established; content:"648A5600-2C6E-101B-82B6-000000000014"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*648A5600-2C6E-101B-82B6-000000000014/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,doc.emergingthreats.net/2009400; classtype:attempted-user; sid:2009400; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DebugDiag CrashHangExt.dll ActiveX Control Remote Denial of Service"; flow:to_client,established; content:"7233D6F8-AD31-440F-BAF0-9E7A292A53DA"; nocase; content:"GetEntryPointForThread"; nocase; reference:bugtraq,31996; reference:url,doc.emergingthreats.net/2008792; classtype:web-application-attack; sid:2008792; rev:48; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Visual Basic Common AVI ActiveX Control File Parsing Buffer Overflow"; flow:to_client,established; content:"B09DE715-87C1-11D1-8BE3-0000F8754DA1"; nocase; content:"Open"; nocase; content:".avi"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/7431; reference:bugtraq,32613; reference:url,doc.emergingthreats.net/2008993; classtype:web-application-attack; sid:2008993; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-1"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; content:"CheckForUpdates"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010562; classtype:web-application-attack; sid:2010562; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Whale Intelligent Application Gateway ActiveX Buffer Overflow-2"; flow:established,to_client; content:"8D9563A9-8D5F-459B-87F2-BA842255CB9A"; nocase; content:"UpdateComponents"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8D9563A9-8D5F-459B-87F2-BA842255CB9A/si"; reference:url,dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/mswhale_checkforupdates.rb; reference:url,www.kb.cert.org/vuls/id/789121; reference:url,doc.emergingthreats.net/2010563; classtype:web-application-attack; sid:2010563; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Windows Media Services nskey.dll ActiveX Control Possible Remote Buffer Overflow"; flow:to_client,established; content:"2646205B-878C-11D1-B07C-0000C040BCDB"; nocase; content:"CallHTMLHelp"; nocase; reference:bugtraq,30814; reference:cve,2008-5232; reference:url,doc.emergingthreats.net/2008925; classtype:web-application-attack; sid:2008925; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit"; flow:to_client,established; content:"0x40000"; content:"WksPictureInterface"; nocase; distance:0; content:"00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6"; nocase; distance:0; reference:bugtraq,28820; reference:url,www.milw0rm.com/exploits/5460; reference:url,www.milw0rm.com/exploits/5530; reference:url,doc.emergingthreats.net/2008226; classtype:web-application-attack; sid:2008226; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid"; flow:to_client,established; content:"f5078f32-c551-11d3-89b9-0000f81fe221"; nocase; content:"loadXML"; nocase; distance:0; content:"parseError.srcText"; nocase; distance:0; reference:bugtraq,32155; reference:url,milw0rm.com/exploits/7196; reference:url,doc.emergingthreats.net/2008887; classtype:web-application-attack; sid:2008887; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Macrovision FLEXnet Connect ActiveX Control Arbitrary File Download"; flow:to_client, established; content:"DownloadAndExecute"; nocase; content:"1DF951B1-8D40-4894-A04C-66AD824A0EEF"; nocase; distance:0; reference:bugtraq,27279; reference:url,www.milw0rm.com/exploits/4913; reference:url,doc.emergingthreats.net/2010358; classtype:successful-user; sid:2010358; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX McAfee ePolicy Orchestrator naPolicyManager.dll Arbitrary Data Write Attempt"; flow:from_server,established; content:"04D18721-749F-4140-AEB0-CAC099CA4741"; nocase; content:"WriteTaskDataToIniFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*04D18721-749F-4140-AEB0-CAC099CA4741/si"; reference:url,www.securitytracker.com/alerts/2009/Jun/1022413.html; reference:url,www.packetstormsecurity.com/0906-exploits/mcafee-activex.txt; reference:url,doc.emergingthreats.net/2009411; classtype:attempted-user; sid:2009411; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MetaProducts MetaTreeX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"67E66985-F81A-11D6-BC0F-F7B40157DC26"; nocase; pcre:"/(SaveToBMP|SaveToFile)/i"; reference:bugtraq,33318; reference:url,milw0rm.com/exploits/7804; reference:url,doc.emergingthreats.net/2009104; classtype:web-application-attack; sid:2009104; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microgaming FlashXControl Control Clsid Access"; flow:from_server,established; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D8089245-3211-40F6-819B-9E5E92CD61A2/si"; reference:url,www.microsoft.com/technet/security/advisory/969898.mspx; reference:url,www.microgaming.co.uk/news_flashxcontrol.php; reference:url,doc.emergingthreats.net/2009401; classtype:attempted-user; sid:2009401; rev:26; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTsoft NCTAudioFile2 ActiveX Control NCTWMAFILE2.DLL Arbitrary File Overwrite"; flow:to_client,established; content:"6ED74AE3-8066-4385-AABA-243E033F75A3"; nocase; content:"CreateFile"; nocase; reference:url,www.milw0rm.com/exploits/7871; reference:bugtraq,24613; reference:url,doc.emergingthreats.net/2009121; classtype:web-application-attack; sid:2009121; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Nokia Phoenix Service Software ActiveX Control Buffer Overflow"; flow:to_client,established; content:"F85B4A10-B530-4D68-A714-7415838FD174"; nocase; content:"SelectDevice"; nocase; reference:bugtraq,33726; reference:url,doc.emergingthreats.net/2009178; classtype:web-application-attack; sid:2009178; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell GroupWise Client 'gxmim1.dll' ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"9796BED2-C1CF-11D2-9384-0008C7396667"; nocase; content:"SetFontFace"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9796BED2-C1CF-11D2-9384-0008C7396667/si"; reference:url,www.securityfocus.com/bid/36398; reference:url,doc.emergingthreats.net/2009923; classtype:attempted-user; sid:2009923; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client ExecuteRequest ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"ExecuteRequest"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:cve,2008-0935; reference:url,doc.emergingthreats.net/2010693; classtype:attempted-user; sid:2010693; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Novell iPrint Client GetDriverSettings ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"336723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"GetDriverSettings"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:cve,2008-2908; reference:url,doc.emergingthreats.net/2010694; classtype:attempted-user; sid:2010694; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orbit Downloader ActiveX Control Arbitrary File Delete"; flow:to_client,established; content:"3F1D494B-0CEF-4468-96C9-386E2E4DEC90"; nocase; content:"download"; nocase; reference:bugtraq,34200; reference:url,milw0rm.com/exploits/8257; reference:url,doc.emergingthreats.net/2009314; classtype:web-application-attack; sid:2009314; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Orca Browser 1.1 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"7606693A-C18D-4567-AF85-6194FF70761E"; nocase; content:"ExecCommand"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7606693A-C18D-4567-AF85-6194FF70761E/si"; reference:url,www.packetstormsecurity.org/0909-exploits/orca-exec.txt; reference:url,doc.emergingthreats.net/2010363; classtype:web-application-attack; sid:2010363; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PDFZilla 1.0.8 ActiveX DebugMsgLog method DOS CLSid Access"; flow:established,to_client; content:"59DBDDA6-9A80-42A4-B824-9BC50CC172F5"; nocase; content:"DebugMsgLog"; nocase; reference:url,packetstormsecurity.org/0908-exploits/pdfzilla-overflow.txt; reference:url,doc.emergingthreats.net/9130; classtype:web-application-attack; sid:2010029; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PPStream PowerPlayer.DLL ActiveX Control BoF Vulnerability"; flow:to_client,established; content:"5EC7C511-CD0F-42E6-830C-1BD9882F3458"; nocase; content:"0x40000"; content:"Logo"; nocase; reference:bugtraq,25502; reference:url,doc.emergingthreats.net/2008173; classtype:web-application-attack; sid:2008173; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible PPStream MList.ocx Buffer Overflow Attempt"; flow:from_server,established; content:"D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D22DE742-04CD-4B5C-A8A3-82AB3DAEC43D/si"; reference:url,www.securityfocus.com/bid/36234/info; reference:url,doc.emergingthreats.net/2009858; classtype:attempted-user; sid:2009858; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Phoenician Casino FlashAX ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"D8089245-3211-40F6-819B-9E5E92CD61A2"; nocase; content:"SetID"; nocase; reference:bugtraq,32901; reference:url,www.milw0rm.com/exploits/7505; reference:url,doc.emergingthreats.net/2009002; classtype:web-application-attack; sid:2009002; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Dart Communications PowerTCP FTP for ActiveX DartFtp.dll Control Buffer Overflow"; flow:to_client,established; content:"39FDA070-61BA-11D2-AD84-00105A17B608"; nocase; content:"%5F%DC%02%10%cc"; nocase; distance:0; content:"SecretKey"; nocase; reference:bugtraq,31814; reference:url,www.milw0rm.com/exploits/6793; reference:url,doc.emergingthreats.net/2008683; classtype:web-application-attack; sid:2008683; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX PrecisionID Datamatrix ActiveX control Arbitrary File Overwrite"; flow:to_client,established; content:"6C951D10-B07F-11DB-A6ED-0050C2490048"; nocase; pcre:"/(SaveBarCode|SaveEnhWMF)/i"; reference:url,milw0rm.com/exploits/8332; reference:url,securityfocus.com/archive/1/502319; reference:url,doc.emergingthreats.net/2009315; classtype:web-application-attack; sid:2009315; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ProgramChecker 1.5 Activex Command Execution clsid access attempt"; flow:established,to_client; content:"DD50A655-10FB-11D2-A22B-00104B27F81B"; nocase; content:"Run"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*DD50A655-10FB-11D2-A22B-00104B27F81B/si"; reference:url,www.packetstormsecurity.org/0909-exploits/programchecker-exec.txt; reference:url,doc.emergingthreats.net/2010365; classtype:web-application-attack; sid:2010365; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Remote Desktop Connection ActiveX Control Heap Overflow clsid access"; flow:established,to_client; content:"7390f3d8-0439-4c05-91e3-cf5cb290c3d0"; nocase; pcre:"/]*\s*classid\s*=\s*(.+\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*7390f3d8-0439-4c05-91e3-cf5cb290c3d0\s*}?\s*(\?P=q1)(\s|>)/si"; reference:cve,2009-1929; reference:url,www.microsoft.com/technet/security/Bulletin/MS09-044.mspx; reference:url,doc.emergingthreats.net/2009907; classtype:attempted-user; sid:2009907; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RKD Software ActiveX Control SaveasMolFile Method Buffer Overflow Attempt"; flow:established,to_client; content:"C26D9CA8-6747-11D5-AD4B-C01857C10000"; nocase; content:"SaveasMolFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C26D9CA8-6747-11D5-AD4B-C01857C10000/si"; reference:url,packetstorm.foofus.com/1002-exploits/barcode_ax49.rb.txt; reference:bugtraq,24596; reference:url,doc.emergingthreats.net/2011020; classtype:attempted-user; sid:2011020; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RTSP MPEG4 SP Control ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"45830FF9-D9E6-4F41-86ED-B266933D8E90"; nocase; content:"0x40000"; nocase; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007904; classtype:web-application-attack; sid:2007904; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Rediff Bol Downloader ActiveX Control Remote Code Execution"; flow:to_client,established; content:"BADA82CB-BF48-4D76-9611-78E2C6F49F03"; nocase; content:"url"; nocase; distance:0; pcre:"/(exe|bat|com|dll|ini)/i"; content:"start"; nocase; reference:cve,CVE-2006-6838; reference:bugtraq,21831; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/21831.html; reference:url,doc.emergingthreats.net/2007998; classtype:web-application-attack; sid:2007998; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Registry OCX ActiveX FullPath Method Buffer Overflow Attempt"; flow:to_client,established; content:"6D5B4E71-625F-11D2-B3AE-00A0C932C7DF"; nocase; content:"FullPath"; nocase; reference:url,exploit-db.com/exploits/14200/; reference:url,doc.emergingthreats.net/2011253; classtype:attempted-user; sid:2011253; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Rising Online Virus Scanner ActiveX Control Scan() Method Stack Buffer Overflow Attempt"; flow:established,to_client; content:"9FAFB576-6933-4CCC-AB3D-B988EC43D04E"; nocase; content:"Scan"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9FAFB576-6933-4CCC-AB3D-B988EC43D04E/si"; reference:url,www.securityfocus.com/bid/38282; reference:url,doc.emergingthreats.net/2010839; classtype:attempted-user; sid:2010839; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Roxio CinePlayer SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow"; flow:to_client,established; content:"9F1363DA-0220-462E-B923-9E3C9038896F"; nocase; content:"DiskType"; nocase; reference:url,milw0rm.com/exploits/8824; reference:bugtraq,23412; reference:url,doc.emergingthreats.net/2009725; classtype:web-application-attack; sid:2009725; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Roxio CinePlayer IAManager.dll ActiveX Control Buffer Overflow"; flow:to_client,established; content:"EE1BBA18-F0C8-477E-8AC8-C28B94F1B7DC"; nocase; content:"SetIAPlayerName"; nocase; reference:url,xforce.iss.net/xforce/xfdb/50868; reference:url,milw0rm.com/exploits/8835; reference:url,doc.emergingthreats.net/2009735; classtype:web-application-attack; sid:2009735; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SAP GUI ActiveX Control Insecure Method File Overwrite Attempt"; flow:from_server,established; content:"AFBBE070-7340-11d2-AA6B-00E02924C34E"; nocase; content:"Save"; nocase; content:"ToSessionFile"; within:17; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AFBBE070-7340-11d2-AA6B-00E02924C34E/si"; reference:url,www.securitytracker.com/alerts/2009/Sep/1022953.html; reference:url,doc.emergingthreats.net/2010013; classtype:attempted-user; sid:2010013; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX SAP AG SAPgui sapirrfc.dll ActiveX Control Buffer Overflow Attempt"; flow:from_server,established; content:"77F12F8A-F117-11D0-8CF1-00A0C91D9D87"; nocase; content:"Accept"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*77F12F8A-F117-11D0-8CF1-00A0C91D9D87/si"; reference:url,www.securityfocus.com/bid/35256/info; reference:url,doc.emergingthreats.net/2010219; classtype:attempted-user; sid:2010219; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Archive method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"Archive"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010468; classtype:web-application-attack; sid:2010468; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX Text method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"Text"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010469; classtype:web-application-attack; sid:2010469; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX EditSelText method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"EditSelText"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010470; classtype:web-application-attack; sid:2010470; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX EditText method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"EditText"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010471; classtype:web-application-attack; sid:2010471; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI vsflexGrid ActiveX CellFontName method Buffer Overflow CLSID Attempt"; flow:established,to_client; content:"C0A63B86-4B21-11D3-BD95-D426EF2C7949"; nocase; content:"CellFontName"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C0A63B86-4B21-11D3-BD95-D426EF2C7949/si"; reference:url,dsecrg.com/pages/vul/show.php?id=117; reference:url,osvdb.org/show/osvdb/41939; reference:url,doc.emergingthreats.net/2010472; classtype:web-application-attack; sid:2010472; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP AG SAPgui EAI WebViewer2D ActiveX stack buffer overflow CLSid Access"; flow:established,to_client; content:"A76CEBEE-7364-11D2-AA6B-00E02924C34E"; nocase; content:"SaveToSessionFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A76CEBEE-7364-11D2-AA6B-00E02924C34E/si"; reference:url,dsecrg.com/pages/vul/show.php?id=143; reference:url,doc.emergingthreats.net/2010481; classtype:attempted-user; sid:2010481; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SAP GUI SAPBExCommonResources ActiveX Insecure Method Code Execution Attempt"; flow:established,to_client; content:"A009C90D-814B-11D3-BA3E-080009D22344"; nocase; content:"Execute"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A009C90D-814B-11D3-BA3E-080009D22344/si"; reference:url,dsecrg.com/pages/vul/show.php?id=164; reference:url,doc.emergingthreats.net/2010957; classtype:attempted-user; sid:2010957; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SaschArt SasCam Webcam Server ActiveX Control Get Method Buffer Overflow"; flow:to_client,established; content:"0297D24A-F425-47EE-9F3B-A459BCE593E3"; nocase; content:"Get"; nocase; reference:bugtraq,33053; reference:url,milw0rm.com/exploits/7617; reference:url,doc.emergingthreats.net/2009047; classtype:web-application-attack; sid:2009047; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt"; flow:established,from_server; content:"E3462D53-47A6-11D8-8EF6-DAE89272743C"; nocase; content:"StartVideoSaving"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E3462D53-47A6-11D8-8EF6-DAE89272743C/si"; reference:url,www.securityfocus.com/bid/36217/info; reference:url,doc.emergingthreats.net/2009869; classtype:attempted-user; sid:2009869; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SonicWALL SSL VPN Client Remote ActiveX AddRouteEntry Attempt"; flow:to_client,established; content:"6EEFD7B1-B26C-440D-B55A-1EC677189F30"; nocase; content:"AddRouteEntry"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6EEFD7B1-B26C-440D-B55A-1EC677189F30/si"; reference:url,www.securityfocus.com/bid/26288/info; reference:cve,2007-5603; reference:url,doc.emergingthreats.net/2010456; classtype:attempted-user; sid:2010456; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Sopcast SopCore ActiveX Control Remote Code Execution"; flow:to_client,established; content:"8FEFF364-6A5F-4966-A917-A3AC28411659"; nocase; content:"SetExternalPlayer"; nocase; reference:bugtraq,33920; reference:url,packetstorm.linuxsecurity.com/0902-exploits/9sg_sopcastia.txt; reference:url,doc.emergingthreats.net/2009226; classtype:web-application-attack; sid:2009226; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SupportSoft DNA Editor Module ActiveX Control Insecure Method Remote Code Execution"; flow:to_client,established; content:"01110800-3E00-11D2-8470-0060089874ED"; nocase; pcre:"/(Packagefiles|SaveDna|SetIdentity|AddFile)/i"; reference:bugtraq,34004; reference:url,milw0rm.com/exploits/8160; reference:url,doc.emergingthreats.net/2009322; classtype:web-application-attack; sid:2009322; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Sygate Personal Firewall ActiveX SetRegString Method Stack Overflow Attempt"; flow:established,to_client; content:"D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9"; nocase; content:"SetRegString"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9/si"; reference:url,www.exploit-db.com/exploits/13834/; reference:url,www.corelan.be#=#=8800/index.php/forum/security-advisories/10-050-sygate-personal-firewall-5-6-build-2808-activex/; reference:url,doc.emergingthreats.net/2011690; classtype:attempted-user; sid:2011690; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability"; flow:to_client,established; content:"22ACD16F-99EB-11D2-9BB3-00400561D975"; nocase; content:"0x40000"; pcre:"/(_DOWText)|(_MonthText)/i"; content:"Save"; nocase; reference:url,www.milw0rm.com/exploits/5205; reference:cve,CVE-2007-6017; reference:bugtraq,28008; reference:url,doc.emergingthreats.net/2007932; classtype:web-application-attack; sid:2007932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Norton Ghost EasySetupInt.dll ActiveX Multiple Remote Denial of Service"; flow:to_client,established; content:"7972D5BE-2213-4B28-884C-F8F82432EAA5"; nocase; pcre:"/(SetupDeleteVolume|GetBackupLocationPath|CallUninstall|CanUseEasySetup|CallAddInitialProtection|CallTour)/i"; reference:url,milw0rm.com/exploits/8523; reference:bugtraq,34696; reference:url,doc.emergingthreats.net/2009373; classtype:web-application-attack; sid:2009373; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec WinFax Pro DCCFAXVW.DLL Heap Buffer Overflow"; flow:to_client,established; content:"C05A1FBC-1413-11D1-B05F-00805F4945F6"; nocase; content:"AppendFax"; nocase; reference:bugtraq,34766; reference:url,milw0rm.com/exploits/8562; reference:url,doc.emergingthreats.net/2009385; classtype:web-application-attack; sid:2009385; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Security Check RuFSI ActiveX Control Buffer Overflow"; flow:to_client,established; content:"69DEAF94-AF66-11D3-BEC0-00105AA9B6AE"; nocase; pcre:"/classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*69DEAF94-AF66-11D3-BEC0-00105AA9B6AE/si"; reference:bugtraq,8008; reference:url,xforce.iss.net/xforce/xfdb/12423; reference:url,juniper.net/security/auto/vulnerabilities/vuln8008.html; reference:url,doc.emergingthreats.net/2009847; classtype:web-application-attack; sid:2009847; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Symantec Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt"; flow:established,from_server; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; content:"BrowseAndSaveFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00; reference:url,www.securityfocus.com/bid/36698/info; reference:url,sotiriu.de/adv/NSOADV-2009-001.txt; reference:cve,2009-3031; reference:url,doc.emergingthreats.net/2010227; classtype:attempted-user; sid:2010227; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Altiris Deployment Solution and Notification Server ActiveX Control RunCmd Arbitrary Code Execution Attempt"; flow:established,to_client; content:"B44D252D-98FC-4D5C-948C-BE868392A004"; nocase; content:"RunCmd"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B44D252D-98FC-4D5C-948C-BE868392A004/si"; reference:url,securitytracker.com/alerts/2009/Nov/1023238.html; reference:url,www.securityfocus.com/bid/37092; reference:cve,2009-3033; reference:url,doc.emergingthreats.net/2010369; classtype:attempted-user; sid:2010369; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec Antivirus 10.0 Client Proxy ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"E381F1C0-910E-11D1-AB1E-00A0C90F8F6F"; nocase; content:"SetRemoteComputerName"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E381F1C0-910E-11D1-AB1E-00A0C90F8F6F/si"; reference:url,www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_02; reference:url,dsecrg.com/pages/vul/show.php?id=139; reference:cve,2010-0108; reference:url,doc.emergingthreats.net/2010958; classtype:attempted-user; sid:2010958; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible activePDF WebGrabber ActiveX Control Buffer Overflow Attempt"; flow:established,to_client; content:"02C2DD87-2E67-11D2-96EF-0000861852D5"; nocase; content:"GetStatus"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02C2DD87-2E67-11D2-96EF-0000861852D5/si"; reference:url,www.fortiguard.com/encyclopedia/vulnerability/activepdf.webgrabber.apwebgrb.ocx.activex.access.html; reference:url,packetstormsecurity.org/0911-exploits/activepdf_webgrabber.rb.txt; reference:url,doc.emergingthreats.net/2010691; classtype:attempted-user; sid:2010691; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tumbleweed SecureTransport FileTransfer ActiveX BOF Exploit"; flow:to_client,established; content:"38681fbd-d4cc-4a59-a527-b3136db711d3"; nocase; content:"TransferFile"; nocase; pcre:"/[\w\W]{2500,}/i"; reference:bugtraq,28662; reference:url,www.milw0rm.com/exploits/5398; reference:url,doc.emergingthreats.net/2008128; classtype:web-application-attack; sid:2008128; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HTTP ACTi SaveXMLFile()/DeleteXMLFile() nvUnifiedControl.dll Arbitrary File Overwrite/Deletion Attempt"; flow:established,from_server; content:"A0D43FB0-116B-47AB-80FB-6DCFA92A03E3"; nocase; content:"eXMLFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A0D43FB0-116B-47AB-80FB-6DCFA92A03E3/si"; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009894; classtype:attempted-user; sid:2009894; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HTTP ACTi SetText() nvUnifiedControl.dll Buffer Overflow Attempt"; flow:established,from_server; content:"A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8"; nocase; content:"SetText"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s* \x7B?\s*A6F36F3F-3AE0-458B-AFC4-AA82565E0BF8/si"; reference:url,tools.cisco.com/security/center/viewIpsSignature.x?signatureId=18237&signatureSubId=1&softwareVersion=6.0&releaseVersion=S429; reference:url,www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22546; reference:url,www.securityfocus.com/bid/25465; reference:url,doc.emergingthreats.net/2009893; classtype:attempted-user; sid:2009893; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw PDF Viewer FtpConnect Component ActiveX Remote code execution Attempt"; flow:from_server,established; content:"44A8091F-8F01-43B7-8CF7-4BBA71E61E04"; nocase; content:"FtpConnect"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*44A8091F-8F01-43B7-8CF7-4BBA71E61E04/si"; reference:url,www.milw0rm.org/exploits/8986; reference:url,doc.emergingthreats.net/2010161; classtype:attempted-user; sid:2010161; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Defender ActiveX DeleteValue/WriteValue method Heap Overflow Attempt"; flow:established,to_client; content:"07DD3249-A591-4949-8F20-09CD347C69DC"; nocase; content:"Value"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*07DD3249-A591-4949-8F20-09CD347C69DC.+(DeleteValue|WriteValue)/si"; reference:url,www.packetstormsecurity.org/1001-exploits/msdef1-overflow.txt; reference:url,doc.emergingthreats.net/2010834; classtype:attempted-user; sid:2010834; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Messenger ActiveX Control RichUploadControlContextData Buffer Overflow Attempt"; flow:established,to_client; content:"C2828995-4A83-4100-A212-3024BA117356"; nocase; content:"RichUploadControlContextData"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C2828995-4A83-4100-A212-3024BA117356/si"; reference:url,www.securityfocus.com/bid/37908/info; reference:url,doc.emergingthreats.net/2010702; classtype:attempted-user; sid:2010702; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX VeryDOC PDF Viewer ActiveX Control OpenPDF Buffer Overflow"; flow:to_client,established; content:"433268D7-2CD4-43E6-AA24-2188672E7252"; nocase; content:"OpenPDF"; nocase; reference:bugtraq,32313; reference:url,milw0rm.com/exploits/7126; reference:url,doc.emergingthreats.net/2008869; classtype:web-application-attack; sid:2008869; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Visagesoft eXPert PDF EditorX ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"89F968A1-DBAC-4807-9B3C-405A55E4A279"; nocase; content:"extractPagesToFile"; nocase; distance:0; reference:bugtraq,32664; reference:url,milw0rm.com/exploits/7358; reference:url,doc.emergingthreats.net/2008895; classtype:web-application-attack; sid:2008895; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow Attempt"; flow:established,to_client; content:"F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E"; nocase; content:"DrawText"; nocase; content:!"|0A|"; within:25; isdataat:25,relative; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E/si"; reference:url,en.securitylab.ru/poc/extra/389924.php; reference:url,doc.emergingthreats.net/2010840; classtype:attempted-user; sid:2010840; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible VMware Console ActiveX Format String Remote Code Execution Attempt"; flow:established,to_client; content:"B94C2238-346E-4C5E-9B36-8CC627F35574"; nocase; content:"connect"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B94C2238-346E-4C5E-9B36-8CC627F35574/si"; reference:url,dsecrg.com/pages/vul/show.php?id=153; reference:url,lists.vmware.com/pipermail/security-announce/2010/000090.html; reference:cve,2009-3732; reference:url,doc.emergingthreats.net/2011126; classtype:attempted-user; sid:2011126; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Web on Windows ActiveX Insecure Methods"; flow:to_client,established; content:"441E9D47-9F52-11D6-9672-0080C88B3613"; nocase; pcre:"/(WriteIniFileString|ShellExecute)/i"; reference:bugtraq,33515; reference:url,xforce.iss.net/xforce/xfdb/48337; reference:url,doc.emergingthreats.net/2009136; classtype:web-application-attack; sid:2009136; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WinDVD7 IASystemInfo.DLL ActiveX ApplicationType method buffer overflow Attempt"; flow:established,to_client; content:"B727C217-2022-11D4-B2C6-0050DA1BD906"; nocase; content:"ApplicationType"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B727C217-2022-11D4-B2C6-0050DA1BD906/si"; reference:url,www.packetstormsecurity.nl/0911-exploits/windvd7_applicationtype.rb.txt; reference:url,secunia.com/advisories/24556/; reference:url,doc.emergingthreats.net/2010852; classtype:web-application-attack; sid:2010852; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Universal HTTP File Upload Remote File Deletetion"; flow:to_client,established; content:"4FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; content:"RemoveFileOrDir"; nocase; pcre:"/(txt|ini|com|exe|bat|dll|dat)/i"; reference:url,www.milw0rm.com/exploits/5272; reference:url,doc.emergingthreats.net/2008062; classtype:web-application-attack; sid:2008062; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Universal HTTP Image/File Upload ActiveX Remote File Deletion Exploit"; flow:to_client,established; content:"04FD48E6-0712-4937-B09E-F3D285B11D82"; nocase; content:"RemoveFileOrDir"; nocase; distance:0; reference:url,www.milw0rm.com/exploits/5569; reference:url,doc.emergingthreats.net/2008225; classtype:web-application-attack; sid:2008225; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Novell ZENWorks for Desktops Remote Heap-Based Buffer Overflow"; flow:to_client,established; content:"0F517994-A6FA-4F39-BD4B-EC2DF00AEEF1"; nocase; content:"CanUninstall"; nocase; reference:bugtraq,31435; reference:url,securitytracker.com/alerts/2008/Sep/1020951.html; reference:url,doc.emergingthreats.net/2008619; classtype:web-application-attack; sid:2008619; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX IE ActiveX control Exec method Remote code execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"72C24DD5-D70A-438B-8A42-98424B88AFB8"; nocase; distance:0; content:"Exec"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*72C24DD5-D70A-438B-8A42-98424B88AFB8/si"; reference:url,www.packetstormsecurity.org/1001-exploits/wshomocx-activex.txt; reference:url,doc.emergingthreats.net/2010978; classtype:attempted-user; sid:2010978; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Internet Information Service iisext.dll activex setpassword Insecure Method"; flow:to_client,established; content:"CLSID"; nocase; content:"C3B32488-AFEC-11D1-9868-00A0C922E703"; distance:0; nocase; content:"SetPassword"; nocase; reference:cve,2008-4301; reference:url,www.securityfocus.com/archive/1/archive/1/496694/100/0/threaded; reference:url,doc.emergingthreats.net/2008620; classtype:web-application-attack; sid:2008620; rev:38; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX 4XEM VatDecoder VatCtrl Class ActiveX Control Url Property Buffer Overflow Vulnerability"; flow:to_client,established; content:"210D0CBC-8B17-48D1-B294-1A338DD2EB3A"; nocase; content:"0x40000"; content:"Url"; nocase; reference:bugtraq,28010; reference:url,www.milw0rm.com/exploits/5193; reference:url,doc.emergingthreats.net/2007903; classtype:web-application-attack; sid:2007903; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Danim.dll and Dxtmsft.dll COM Objects"; flow:established,from_server; pcre:"/42B07B28-2280-4937-B035-0293FB812781|542FB453-5003-11CF-92A2-00AA00B8A733/i"; reference:cve,2006-1186; reference:url,www.microsoft.com/technet/security/bulletin/ms06-013.mspx; reference:url,doc.emergingthreats.net/2002861; classtype:web-application-attack; sid:2002861; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAudioFile2 ActiveX SetFormatLikeSample() Buffer Overflow"; flow:established,from_server; content:"77829F14-D911-40FF-A2F0-D11DB8D6D0BC"; content:"SetFormatLikeSample("; isdataat:500,relative; content:!")"; distance:0; within:500; reference:cve,2007-0018; reference:url,secunia.com/advisories/23475/; reference:url,doc.emergingthreats.net/2003328; classtype:web-application-attack; sid:2003328; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Morovia Barcode ActiveX Control Arbitrary File Overwrite"; flow:to_client,established; content:"18B409DA-241A-4BD8-AC69-B5D547D5B141"; nocase; pcre:"/(Save|ExportImage)/i"; reference:url,milw0rm.com/exploits/8208; reference:bugtraq,23934; reference:url,doc.emergingthreats.net/2009334; classtype:web-application-attack; sid:2009334; rev:30; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NCTAVIFile V 1.6.2 Activex File Creation clsid access attempt"; flow:established,to_client; content:"6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790"; nocase; content:"OpenFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*6B1E11AC-BF5C-4CF5-9DC9-F81F715EB790/si"; reference:url,www.packetstatic.com/0909-exploits/nctavi-exec.txt; reference:url,doc.emergingthreats.net/2010356; classtype:web-application-attack; sid:2010356; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX iDefense COMRaider ActiveX Control Arbitrary File Deletion"; flow:to_client,established; content:"9A077D0D-B4A6-4EC0-B6CF-98526DF589E4"; nocase; pcre:"/(DeleteFile|write)/i"; reference:bugtraq,33867; reference:bugtraq,33942; reference:url,doc.emergingthreats.net/2009187; classtype:web-application-attack; sid:2009187; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX InstallFrom Method Access Attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"ET ACTIVEX Avaya CallPilot Unified Messaging ActiveX Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NMWEBINST.NMWebInstCtrl.1"; nocase; distance:0; content:"InstallFrom"; nocase; reference:url,secunia.com/advisories/40184/; reference:bugtraq,40535; reference:url,doc.emergingthreats.net/2011681; classtype:attempted-user; sid:2011681; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Axis Media Controller ActiveX SetImage Method Remote Code Execution Attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"ET ACTIVEX DjVu DjVu_ActiveX_MSOffice.dll ActiveX Component Heap Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"4A46B8CD-F7BD-11D4-B1D8-000102290E7C"; nocase; distance:0; content:"0x400000"; distance:0; content:"ImageURL"; nocase; reference:bugtraq,31987; reference:url,milw0rm.com/exploits/6878; reference:url,doc.emergingthreats.net/2008790; classtype:web-application-attack; sid:2008790; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX EasyMail Object SMTP Component Buffer Overflow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"EasyMail.SMTP.6"; distance:0; nocase; pcre:"/(AddAttachment|SubmitToExpress)/i"; reference:url,secunia.com/advisories/24199/; reference:url,www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/oracle_dc_submittoexpress.rb; reference:url,doc.emergingthreats.net/2010657; classtype:web-application-attack; sid:2010657; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:" $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MSVidCtlLib.MSVidVMR9"; nocase; distance:0; content:".CustomCompositorClass"; nocase; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:attempted-user; sid:2011590; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SoftekATL.CBarcode"; nocase; distance:0; content:".DebugTraceFile"; nocase; reference:url,exploit-db.com/exploits/15071/; classtype:attempted-user; sid:2011870; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Softek Barcode Reader Toolkit ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*11E7DA45-B56D-4078-89F6-D3D651EC4CD6/si"; reference:url,exploit-db.com/exploits/15071; classtype:web-application-attack; sid:2011869; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code Execution Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0; content:"extSetOwner"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si"; reference:url,www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/; classtype:attempted-user; sid:2011867; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_29, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Technologies Barcode ActiveX Barcode.dll Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"14D09688-CFA7-11D5-995A-005004CE563B"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31979; reference:url,milw0rm.com/exploits/6871; reference:url,doc.emergingthreats.net/2008809; classtype:web-application-attack; sid:2008809; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 PDF417 MW6PDF417.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"90D2A875-5024-4CCD-80AA-C8A353DB2B45"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31983; reference:url,milw0rm.com/exploits/6873; reference:url,doc.emergingthreats.net/2008810; classtype:web-application-attack; sid:2008810; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 DataMatrix DataMatrix.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"DE7DA0B5-7D7B-4CEA-8739-65CF600D511E"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31980; reference:url,milw0rm.com/exploits/6872; reference:url,doc.emergingthreats.net/2008811; classtype:web-application-attack; sid:2008811; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MW6 Aztec ActiveX Aztec.dll ActiveX Control Multiple Arbitrary File Overwrite"; flow:to_client,established; content:"F359732D-D020-40ED-83FF-F381EFE36B54"; nocase; pcre:"/(SaveAsBMP|SaveAsWMF)/i"; reference:bugtraq,31974; reference:url,milw0rm.com/exploits/6870; reference:url,doc.emergingthreats.net/2008812; classtype:web-application-attack; sid:2008812; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX RSP MP3 Player OCX ActiveX OpenFile Method Buffer Overflow Attempt"; flow:to_client,established; content:"3C88113F-8CEC-48DC-A0E5-983EF9458687"; nocase; content:"OpenFile"; distance:0; nocase; reference:url,exploit-db.com/exploits/14309/; reference:url,packetstormsecurity.org/1007-exploits/rspmp3-overflow.txt; reference:url,doc.emergingthreats.net/2011249; classtype:web-application-attack; sid:2011249; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AOL Radio AmpX ActiveX Control ConvertFile Method Buffer Overflow"; flow:to_client,established; content:"FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6"; nocase; content:"ConvertFile"; nocase; reference:url,milw0rm.com/exploits/8733; reference:bugtraq,35028; reference:url,doc.emergingthreats.net/2009469; classtype:web-application-attack; sid:2009469; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Akamai Download Manager Stack Buffer Overflow CLSID Access 1"; flow:to_client,established; content:"4871A87A-BFDD-4106-8153-FFDE2BAC2967"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4871A87A-BFDD-4106-8153-FFDE2BAC2967/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=813; reference:url,doc.emergingthreats.net/2009687; classtype:web-application-attack; sid:2009687; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX MciWndx ActiveX Control"; flow:from_server,established; content:"288F1523-FAC4-11CE-B16F-00AA0060D93D"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002724; classtype:web-application-attack; sid:2002724; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ACTIVEX PPMate PPMedia Class ActiveX Control Buffer Overflow"; flow:to_client,established; content:"72B15B25-2EC8-4CDD-B284-C89A5F8E8D5F"; nocase; content:"StartURL"; nocase; reference:cve,2008-3242; reference:url,secunia.com/advisories/30952; reference:url,milw0rm.com/exploits/6090; reference:url,doc.emergingthreats.net/2009143; classtype:web-application-attack; sid:2009143; rev:37; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX DB Software Laboratory VImpX.ocx ActiveX Control Multiple Insecure Methods"; flow:to_client,established; content:"CLSID"; nocase; content:"7600707B-9F47-416D-8AB5-6FD96EA37968"; nocase; pcre:"/(LogFile|ClearLogFile|SaveToFile)/i"; reference:bugtraq,31907; reference:url,milw0rm.com/exploits/6828; reference:url,doc.emergingthreats.net/2008789; classtype:web-application-attack; sid:2008789; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft DirectX 9 msvidctl.dll ActiveX Control Code Execution Attempt"; flow:to_client,established; content:"24DC3975-09BF-4231-8655-3EE71F43837D"; nocase; content:".CustomCompositorClass"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*24DC3975-09BF-4231-8655-3EE71F43837D/si"; reference:url,packetstorm.linuxsecurity.com/1009-exploits/msvidctl-activex.txt; classtype:web-application-attack; sid:2011589; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_10_01, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WBEM.SingleViewCtrl.1"; nocase; distance:0; pcre:"/WBEM\x2ESingleViewCtrl\x2E1.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; classtype:attempted-user; sid:2012157; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt"; flow:established,to_client; content:"0B68B7EB-02FF-4A41-BC14-3C303BB853F9"; nocase; content:"DelFile"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B68B7EB-02FF-4A41-BC14-3C303BB853F9/si"; reference:url,packetstormsecurity.org/files/view/97394/newvcommon-insecure.txt; classtype:attempted-user; sid:2012192; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt"; flow:established,to_client; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; nocase; content:"RecordClip"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5/si"; reference:bid,44443; reference:cve,2010-3749; classtype:attempted-user; sid:2012194; rev:3; metadata:created_at 2011_01_15, updated_at 2011_01_15;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object MS06-042 CLSID 21 Access Attempt"; flow:established,to_client; content:"930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6/si"; reference:cve,2006-3638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; reference:url,doc.emergingthreats.net/2010312; classtype:attempted-user; sid:2010312; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Novell iPrint ActiveX GetDriverSettings Remote Code Execution Attempt"; flow:established,to_client; content:"36723F97-7AA0-11D4-8919-FF2D71D0D32C"; nocase; content:"GetDriverSettings2"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*36723F97-7AA0-11D4-8919-FF2D71D0D32C/si"; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-256/; reference:url,www.vupen.com/english/advisories/2010/3023; reference:bid,44966; reference:cve,2010-4321; classtype:attempted-user; sid:2012206; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_20, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt"; flow:established,to_client; content:"68AC0D5F-0424-11D5-822F-00C04F6BA8D9"; nocase; content:"ImportBodyText"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*68AC0D5F-0424-11D5-822F-00C04F6BA8D9/si"; reference:cve,2010-3595; classtype:attempted-user; sid:2012231; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Deletion Attempt"; flow:established,to_client; content:"F647CBE5-3C01-402A-B3F0-502A77054A24"; nocase; content:"DownloadSingleMessageToFile"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F647CBE5-3C01-402A-B3F0-502A77054A24/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012232; rev:2; metadata:created_at 2011_01_27, updated_at 2011_01_27;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite Attempt"; flow:established,to_client; content:"4932CEF4-2CAA-11D2-A165-0060081C43D9"; nocase; content:"SaveLayoutChanges"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4932CEF4-2CAA-11D2-A165-0060081C43D9/si"; reference:cve,2010-3591; classtype:attempted-user; sid:2012233; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:3; metadata:created_at 2011_01_27, updated_at 2011_01_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt"; flow:established,to_client; content:"CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA"; nocase; content:"cdda|3A|//"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA/si"; reference:bid,44450; reference:cve,2010-3747; classtype:attempted-user; sid:2012543; rev:3; metadata:created_at 2011_03_24, updated_at 2011_03_24;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; content:"Exec"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5.+(Exec|ExecLow|ShellExec)/smi"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012636; rev:3; metadata:created_at 2011_04_05, updated_at 2011_04_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"5818813E-D53D-47A5-ABBB-37E2A07056B5"; nocase; content:"CreateVistaTaskLow"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*5818813E-D53D-47A5-ABBB-37E2A07056B5/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012637; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"ShellExec"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012638; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"CreateShortcut"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012639; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt"; flow:established,to_client; content:"80AB3FB6-9660-416C-BE8D-0E2E8AC3138B"; nocase; content:"CopyDocument"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*80AB3FB6-9660-416C-BE8D-0E2E8AC3138B/si"; reference:url,www.exploit-db.com/exploits/17105/; reference:bid,47133; classtype:attempted-user; sid:2012640; rev:4; metadata:created_at 2011_04_05, updated_at 2011_04_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow Attempt"; flow:established,to_client; content:"CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA"; nocase; content:"launchjnlp"; fast_pattern; nocase; distance:0; content:"docbase"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:257,relative; content:!"|0A|"; within:257; reference:bid,44023; reference:cve,2010-3552; classtype:attempted-user; sid:2012641; rev:3; metadata:created_at 2011_04_06, updated_at 2011_04_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ELONFMTLib.ElonFmt"; nocase; distance:0; content:".GetItem1"; nocase; reference:url,exploit-db.com/exploits/17196; classtype:attempted-user; sid:2012742; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_04_29, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt"; flow:established,to_client; content:"333C7BC4-460F-11D0-BC04-0080C7055A83"; nocase; content:"DataURL"; nocase; distance:0; content:"value=|22|"; nocase; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*333C7BC4-460F-11D0-BC04-0080C7055A83/si"; reference:url,securitytracker.com/alerts/2010/Mar/1023773.html; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20202; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.vupen.com/english/advisories/2010/0744; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0805; reference:url,doc.emergingthreats.net/2011007; classtype:attempted-user; sid:2011007; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Magneto ICMP ActiveX ICMPSendEchoRequest Remote Code Execution Attempt"; flow:established,to_client; content:"3A86F1F2-4921-4C75-AF2C-A1AA241E12BA"; nocase; content:"ICMPSendEchoRequest"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3A86F1F2-4921-4C75-AF2C-A1AA241E12BA/si"; reference:url,www.exploit-db.com/exploits/17328/; classtype:attempted-user; sid:2012905; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_05_31, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt"; flow:established,to_client; content:"55963676-2F5E-4BAF-AC28-CF26AA587566"; nocase; content:"url"; nocase; distance:0; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*55963676-2F5E-4BAF-AC28-CF26AA587566/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012929; rev:2; metadata:created_at 2011_06_03, updated_at 2011_06_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Cisco.AnyConnect.VPNWeb.1 Arbitrary Program Execution Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Cisco.AnyConnect.VPNWeb.1"; nocase; distance:0; content:"url"; nocase; distance:0; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012930; rev:3; metadata:created_at 2011_06_03, updated_at 2011_06_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Easewe FTP OCX ActiveX Control EaseWeFtp.ocx Remote Code Execution Attempt"; flow:established,to_client; content:"31AE647D-11D1-4E6A-BE2D-90157640019A"; nocase; fast_pattern:only; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*31AE647D-11D1-4E6A-BE2D-90157640019A.+(Execute|Run|CreateLocalFile|CreateLocalFolder|DeleteLocalFile)/smi"; reference:bid,48393; classtype:attempted-user; sid:2013119; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_06_24, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013132; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2E980303-C865-11CF-BA24-444553540000/si"; reference:url,exploit-db.com/exploits/17416; classtype:attempted-user; sid:2013131; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*79956462-F148-497F-B247-DF35A095F80B/si"; reference:url,exploit-db.com/exploits/17415/; reference:cve,2008-2683; classtype:attempted-user; sid:2013130; rev:2; metadata:created_at 2011_06_29, updated_at 2011_06_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX LEADTOOLS Imaging LEADSmtp ActiveX SaveMessage Method Vulnerability"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F/si"; reference:bugtraq,48408; classtype:attempted-user; sid:2013163; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX RunCore method Buffer Overflow Vulnerability"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Ubisoft CoGSManager ActiveX Initialize method Buffer Overflow Vulnerability"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*27527D31-447B-11D5-A46E-0001023B4289/si"; reference:url,secunia.com/advisories/45044; classtype:attempted-user; sid:2013161; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX CygniCon CyViewer ActiveX Control SaveData Insecure Method Vulnerability"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A6FC2988-16BE-4053-BE89-F562431FD6ED/si"; reference:bugtraq,48483; classtype:attempted-user; sid:2013160; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Chilkat Crypt ActiveX Control SaveDecrypted Insecure Method Vulnerability"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0B70AB61-5C95-4126-9985-A32531CA8619/si"; reference:bugtraq,48585; classtype:attempted-user; sid:2013233; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX IDrive Online Backup ActiveX control SaveToFile Insecure Method"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E/si"; reference:url,htbridge.ch/advisory/idrive_online_backup_activex_control_insecure_method.html; classtype:attempted-user; sid:2013232; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 5"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FCB4B50A-E3F1-4174-BD18-54C3B3287258/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013432; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 4"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013431; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 3"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FAB9B41C-87D6-474D-AB7E-F07D78F2422E/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013430; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 2"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*536600D3-70FE-4C50-92FB-640F6BFC49AD/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013429; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TeeChart Professional ActiveX Control integer overflow Vulnerability 1"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6C10489-FB89-11D4-93C9-006008A7EED4/si"; reference:url,packetstormsecurity.org/files/view/103964/teechart_pro.rb.txt; classtype:attempted-user; sid:2013428; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_08_19, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Software Possible Memory Corruption Attempt"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*658ED6E7-0DA1-4ADD-B2FB-095F08091118/si"; classtype:web-application-attack; sid:2013565; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tom Sawyer Possible Memory Corruption Attempt Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1"; nocase; distance:0; classtype:attempted-user; sid:2013566; rev:2; metadata:created_at 2011_09_12, updated_at 2011_09_12;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt"; flow:established,to_client; content:"67DABFBF-D0AB-41fa-9C46-CC0F21721616"; nocase; content:"file|3A 2F 2F|"; nocase; distance:0; isdataat:200,relative; content:!"|0A|"; within:200; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*67DABFBF-D0AB-41fa-9C46-CC0F21721616/smi"; reference:url,www.dl.packetstormsecurity.net/1109-advisories/sa45550.txt; classtype:attempted-user; sid:2013750; rev:3; metadata:created_at 2011_10_11, updated_at 2011_10_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".ExportEdaBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013814; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (ExportEdaBom)"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106065/9sg_autovueiii.tgz; classtype:attempted-user; sid:2013813; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".Export3DBom"; content:"|2E 2E 2F|"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013812; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (Export3DBom)"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,packetstormsecurity.org/files/106064/9sg_autovueii.tgz; classtype:attempted-user; sid:2013811; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile) Format String Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AUTOVUEX.AutoVueXCtrl.1"; nocase; distance:0; content:".SaveViewStateToFile"; nocase; content:"|2E 2E 2F|"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013810; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Oracle AutoVue Activex Insecure method (SaveViewStateToFile)"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B6FCC215-D303-11D1-BC6C-0000C078797F/si"; reference:url,exploit-db.com/exploits/18016; classtype:attempted-user; sid:2013809; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_10_31, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:2103148; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"1B9E86D8-7CAF-46C8-9938-569B21E17A8E"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014325; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ASUS Net4Switch ActiveX CxDbgPrint Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ipswcom.IPSWComItf"; nocase; distance:0; content:"CxDbgPrint"; nocase; reference:url,packetstormsecurity.org/files/110296/ASUS-Net4Switch-ipswcom.dll-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2014326; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_06, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Stack Buffer Overflow"; flow:to_client,established; content:" $HOME_NET any (msg:"ET ACTIVEX EdrawSoft Office Viewer Component ActiveX FtpUploadFile Format String Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"OfficeViewer.OfficeViewer"; nocase; distance:0; content:"FtpUploadFile"; nocase; reference:url,packetstormsecurity.org/files/109298/EdrawSoft-Office-Viewer-Component-ActiveX-5.6-Buffer-Overflow.html; classtype:attempted-user; sid:2014391; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_17, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 2"; flow:from_server,established; content:" $HOME_NET any (msg:"ET ACTIVEX Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera PlayerPT ActiveX Control PlayerPT.ocx Access 1"; flow:from_server,established; content:" $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxClientSystem.ClientSystem.1"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014423; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ExportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ExportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014420; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Function Call Attempt"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TuxScripting.TuxSystem.1"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014419; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X ApplicationServer TuxSystem Class ActiveX Control ImportSettings Remote File Overwrite Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"5BD64392-DA66-4852-9715-CFBA98D25296"; nocase; distance:0; content:"ImportSettings"; nocase; reference:url,www.exploit-db.com/exploits/18625/; classtype:attempted-user; sid:2014418; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX 2X Client for RDP ClientSystem Class ActiveX Control InstallClient Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"F5DF8D65-559D-4b75-8562-5302BD2F5F20"; nocase; distance:0; content:"InstallClient"; nocase; reference:url,www.exploit-db.com/exploits/18624/; classtype:attempted-user; sid:2014422; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_26, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"13149882-F480-4F6B-8C6A-0764F75B99ED"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014451; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_03_31, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"EF600D71-358F-11D1-8FD4-00AA00BD091C"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014453; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest InTrust Annotation Objects ActiveX Control Add Access Potential Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AnnotationX.AnnList.1"; nocase; distance:0; content:".Add("; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18674/; classtype:attempted-user; sid:2014454; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014455; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"UltraMJCam.UltraMJCam.1"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014456; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible UserManager SelectServer method Buffer Overflow Attempt"; flow:to_client,established; content:"]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E5D2CE27-5FA0-11D2-A666-204C4F4F5020/si"; reference:url,exploit-db.com/exploits/16002/; classtype:web-application-attack; sid:2012218; rev:3; metadata:created_at 2011_01_21, updated_at 2011_01_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Dell Webcam CrazyTalk ActiveX Control BackImage Access Potential Buffer Overflow Attempt 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CRAZYTALK4Lib.CrazyTalk4"; nocase; distance:0; content:"BackImage"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111077/Dell-Webcam-CrazyTalk-ActiveX-BackImage-Vulnerability.html; classtype:attempted-user; sid:2014452; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_01, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Microsoft PicturePusher ActiveX Cross Site File Upload Attack"; flow:from_server,established; content:"507813C3-0B26-47AD-A8C0-D483C7A21FA7"; nocase; pcre:"/http\://.*?[\w]{4,}=1/i"; pcre:"/(PostURL|AddSeperator|AddString|Post)/i"; reference:url,milw0rm.com/exploits/6699; reference:url,doc.emergingthreats.net/2008673; classtype:web-application-attack; sid:2008673; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"84B74E82-3475-420E-9949-773B4FB91771"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014550; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Tivoli Provisioning Manager Express Isig.isigCtl.1 ActiveX RunAndUploadFile Method Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Isig.isigCtl.1"; nocase; distance:0; content:"RunAndUploadFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/111680/IBM-Tivoli-Provisioning-Manager-Express-Overflow.html; classtype:attempted-user; sid:2014551; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability"; flow:to_client,established; content:"CLSID"; nocase; content:"6286EF1A-B56E-48EF-90C3-743410657F3C"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014552; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Dell IT Assistant detectIESettingsForITA.ocx ActiveX Control readRegVal Remote Registry Dump Vulnerability 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DETECTIESETTINGS.detectIESettingsCtrl.1"; nocase; distance:0; content:"readRegVal"; nocase; distance:0; reference:url,exploit-db.com/exploits/17557/; classtype:attempted-user; sid:2014553; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_13, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS"; flow:to_client,established; content:"CLSID"; nocase; content:"6116A7EC-B914-4CCE-B186-66E0EE7067CF"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014585; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Edraw Diagram Component 5 ActiveX LicenseName Access Potential buffer overflow DOS 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"EDBoardLib.EDBoard"; nocase; distance:0; content:"LicenseName"; nocase; distance:0; reference:url,exploit-db.com/exploits/18461/; classtype:attempted-user; sid:2014586; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"D9397163-A2DB-4A4A-B2C9-34E876AF2DFC"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014587; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest vWorkspace Broker Client ActiveX Control SaveMiniLaunchFile Remote File Creation/Overwrite 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"PNLLM.Client.1"; nocase; distance:0; content:"SaveMiniLaunchFile("; nocase; distance:0; reference:url,exploit-db.com/exploits/18704/; classtype:attempted-user; sid:2014588; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"65996200-3B87-11D4-A21F-00E029189826"; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014593; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"TList.TList.6"; fast_pattern; nocase; distance:0; content:".SaveData("; nocase; distance:0; reference:url,securityfocus.com/archive/1/520353; classtype:attempted-user; sid:2014594; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_16, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"209EBDEE-065C-11D4-A6B8-00C04F0D38B7"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014619; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee SaaS MyCioScan ShowReport Method Call Remote Command Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MYCIOSCNLib.Scan"; nocase; distance:0; content:"ShowReport"; nocase; distance:0; reference:url,packetstormsecurity.org/files/108767/McAfee-SaaS-MyCioScan-ShowReport-Remote-Command-Execution.html; classtype:attempted-user; sid:2014620; rev:2; metadata:created_at 2012_04_20, updated_at 2012_04_20;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_04_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014708; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; content:"CLSID"; nocase; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i Viewer-Active-X-SEH-Overwrite.html; classtype:attempted-user; sid:2014710; rev:3; metadata:created_at 2012_05_04, updated_at 2012_05_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; content:"CLSID"; nocase; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_04, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"DcsCliCtrl.DCSStrmControl.1"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014903; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"721700FE-7F0E-49C5-BDED-CA92B7CB1245"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014902; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_15, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service"; flow:to_client,established; content:"CLSID"; nocase; content:"62789780-B744-11D0-986B-00609731A21D"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014942; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"MGMapControl.MGMap"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014943; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_22, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"Aventail.EPInterrogator.10.0.4.018"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014991; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit"; flow:to_client,established; content:"CLSID"; nocase; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014992; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_06, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;) #alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; content:"hcp|3a|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015491; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; distance:0; content:"AddAttachments"; nocase; distance:0; reference:url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2015493; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ListCtrl.ocx"; fast_pattern; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_20, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"AutoVueX.ocx"; fast_pattern; nocase; distance:0; content:"SetMarkupMode"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html; classtype:attempted-user; sid:2015465; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_13, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; distance:0; content:"installAppMgr"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015537; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015538; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"WZFILEVIEW.FileViewCtrl.61"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015539; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_07_27, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"BARCODEWIZLib.BarCodeWiz"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015564; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute"; flow:to_client,established; content:"CLSID"; nocase; content:"54BDE6EC-F42F-4500-AC46-905177444300"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015566; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ICQPhone.SipxPhoneManager.1"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015567; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_03, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; content:"CLSID"; nocase; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015607; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; nocase; distance:0; content:".Initialize("; nocase; distance:0; reference:url,exploit-db.com/exploits/16630/; classtype:attempted-user; sid:2015636; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow"; flow:to_client,established; content:"CLSID"; nocase; content:"525A15D0-4938-11D4-94C7-0050DA20189B"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; reference:url,kb.cert.org/vuls/id/179281; classtype:attempted-user; sid:2015643; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_08_17, updated_at 2016_07_01;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; content:"String("; nocase; distance:0; pcre:"/^\s*?[0-9]{4}/R"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:4; metadata:created_at 2011_12_27, updated_at 2011_12_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; distance:0; within:20; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:4; metadata:created_at 2011_01_05, updated_at 2011_01_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; distance:0; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; distance:0; within:20; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:8; metadata:created_at 2011_01_05, updated_at 2011_01_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_12_14, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible HP ALM XGO.ocx ActiveX Control SetShapeNodeType method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"C3B92104-B5A7-11D0-A37F-00A0248F0AF1"; nocase; distance:0; content:".SetShapeNodeType("; nocase; distance:0; reference:url,packetstormsecurity.org/files/116848/HP-ALM-Remote-Code-Execution.html; classtype:attempted-user; sid:2016084; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Cyme ChartFX client server ActiveX Control ShowPropertiesDialog arbitrary code execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E9DF30CA-4B30-4235-BF0C-7150F646606C"; nocase; distance:0; content:"ShowPropertiesDialog"; nocase; distance:0; reference:url,packetstormsecurity.org/files/117137/Cyme-ChartFX-Client-Server-Array-Indexing.html; classtype:attempted-user; sid:2016085; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_12_21, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3c9dff6f-5cb0-422e-9978-d6405d10718f"; nocase; distance:0; content:"InternationalSeparator"; nocase; distance:0; reference:url,securityfocus.com/bid/47596; classtype:attempted-user; sid:2016118; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_12_28, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Load method Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEA36793-F574-4CC1-8690-60E3511CFEAA"; nocase; distance:0; content:".Load"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119022/Sony-PC-Companion-2.1-Load-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016160; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion CheckCompatibility method Stack-based Unicode Buffer Overload"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A70D160E-E925-4207-803B-A0D702BEDF46"; nocase; distance:0; content:".CheckCompatibility"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119023/Sony-PC-Companion-2.1-CheckCompatibility-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016161; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Sony PC Companion Admin_RemoveDirectory Stack-based Unicode Buffer Overload SEH"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141"; nocase; distance:0; content:".Admin_RemoveDirectory"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119024/Sony-PC-Companion-2.1-Admin_RemoveDirectory-Unicode-Buffer-Overflow.html; classtype:attempted-user; sid:2016162; rev:3; metadata:created_at 2013_01_04, updated_at 2013_01_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Honeywell Tema Remote Installer ActiveX DownloadFromURL method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"E01DF79C-BE0C-4999-9B13-B5F7B2306E9B"; nocase; distance:0; content:".DownloadFromURL"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119427/Honeywell-Tema-Remote-Installer-ActiveX-Remote-Code-Execution.html; classtype:attempted-user; sid:2016197; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability"; flow:to_client,established; file_data; content:"45E66957-2932-432A-A156-31503DF0A681"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016236; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung Kies ActiveX PrepareSync method Buffer overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EA8A3985-F9DF-4652-A255-E4E7772AFCA8"; nocase; distance:0; content:".PrepareSync"; nocase; distance:0; reference:url,packetstormsecurity.com/files/119423/Samsung-Kies-2.5.0.12114_1-Buffer-Overflow.html; classtype:attempted-user; sid:2016237; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"KeyHelp.KeyScript"; nocase; distance:0; content:".LaunchTriPane("; nocase; distance:0; reference:url,packetstormsecurity.com/files/117293/KeyHelp-ActiveX-LaunchTriPane-Remote-Code-Execution.html; classtype:attempted-user; sid:2016235; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_18, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Aloaha PDF Crypter activex SaveToFile method arbitrary file overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B1E7505E-BBFD-42BF-98C9-602205A1504C"; nocase; distance:0; content:".SaveToFile"; nocase; distance:0; reference:url,exploit-db.com/exploits/24319/; classtype:attempted-user; sid:2016286; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_01_25, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Ecava IntegraXor save method Remote ActiveX Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"520F4CFD-61C6-4EED-8004-C26D514D3D19"; nocase; distance:0; content:".save"; nocase; distance:0; reference:url,1337day.org/exploit/15398; classtype:attempted-user; sid:2016382; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2013_02_08, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL ACTIVEX Norton antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3A|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-admin; sid:2102485; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_08, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_18, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_06_01, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:4; metadata:created_at 2012_06_01, updated_at 2012_06_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:3; metadata:created_at 2012_06_01, updated_at 2012_06_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_05_25, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"|2e|LCDWriteString"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*69A40DA3-4D42-11D0-86B0-0000C025864A\s*}?(.*)\>/si"; pcre:"/]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_05, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"BuildPath"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010746; classtype:attempted-user; sid:2010746; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt"; flow:from_server,established; content:"ActiveXObject"; nocase; content:"SoftArtisans.FileManager.1"; distance:0; nocase; pcre:"/(Buildpath|GetDriveName|DriveExists|DeleteFile)/i"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010745; classtype:attempted-user; sid:2010745; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"GetDriveName"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010747; classtype:attempted-user; sid:2010747; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DriveExists"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010748; classtype:attempted-user; sid:2010748; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E7B62F4E-82F4-11D2-BD41-00105A0A7E89"; nocase; distance:0; content:"DeleteFile"; nocase; pcre:"/]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E7B62F4E-82F4-11D2-BD41-00105A0A7E89/si"; reference:url,www.kb.cert.org/vuls/id/914785; reference:url,www.packetstormsecurity.nl/0911-exploits/softartisans_getdrivename.rb.txt; reference:url,osvdb.org/47794; reference:url,doc.emergingthreats.net/2010749; classtype:attempted-user; sid:2010749; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX HP Easy Printer Care Software XMLCacheMgr ActiveX Control Remote Code Execution Attempt"; flow:established,to_client; content:"ActiveXObject"; nocase; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:bid,51396; reference:cve,2011-4786; classtype:attempted-user; sid:2014132; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2012_01_18, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra ActiveX SetIdentity Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"8234E54E-20CB-4A88-9AB6-7986F99BE243"; nocase; content:"|2e|SetIdentity"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*8234E54E-20CB-4A88-9AB6-7986F99BE243\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15655; classtype:attempted-user; sid:2012098; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_12_23, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX J-Integra Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"F21507A7-530F-4A89-8FE4-9D989670FD2C"; nocase; distance:0; pcre:"/]*\s*classid\s*=\s*(\x22|\x27)\s*clsid\s*\x3a\s*{?\s*F21507A7-530F-4A89-8FE4-9D989670FD2C\s*}?\s*(.*)(\s|)/si"; pcre:"/\x2e[RemoveAccessPermission|AddLaunchPermission|AddAccessPermission|RemoveLaunchPermission]/"; reference:url,www.exploit-db.com/exploits/15648; classtype:attempted-user; sid:2012095; rev:3; metadata:created_at 2010_12_23, updated_at 2010_12_23;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX WMITools ActiveX Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; content:"|2e|AddContextRef"; distance:0; pcre:"/]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*2745E5F5-D234-11D0-847A-00C04FD7BB08\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15809/; classtype:attempted-user; sid:2012097; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_12_23, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX COM Object Instantiation Memory Corruption Vulnerability MS05-054"; flow:established,from_server; pcre:"/000(2(042[1-5]|1401|000D)|6F071)-0000-0000-C000-000000000046|6E2271(FB|0[9A-F])-F799-11CF-9227-00AA00A1EB95|ECAB(AFC0|B0AB)-7F19-11D2-978E-0000F8757E2A|3050F4F5-98B5-11CF-BB82-00AA00BDCE0B|DF0B3D60-548F-101B-8E65-08002B2BD119|2D2E24CB-0CD5-458F-86EA-3E6FA22C8E64|51B4ABF3-748F-4E3B-A276-C828330E926A|E4979309-7A32-495E-8A92-7B014AAD4961|62EC9F22-5E30-11D2-97A1-00C04FB6DD9A|B1D4ED44-EE64-11D0-97E6-00C04FC30B4A|D675E22B-CAE9-11D2-AF7B-00C04F99179F/i"; reference:cve,2005-2831; reference:url,www.microsoft.com/technet/security/bulletin/ms05-054.mspx; reference:url,doc.emergingthreats.net/2002725; classtype:web-application-attack; sid:2002725; rev:14; metadata:created_at 2010_07_30, updated_at 2016_04_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"; flowbits:noalert; flow: to_client,established; file_data; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within:64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; metadata: former_category ACTIVEX; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; classtype:web-application-attack; sid:2001622; rev:16; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 2"; flow:to_client,established; flowbits:isset,winhlp32; file_data; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; metadata: former_category ACTIVEX; reference:url,doc.emergingthreats.net/bin/view/Main/2001623; classtype:web-application-attack; sid:2001623; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 3"; flow:to_client, established; flowbits:isset,winhlp32; file_data; content:".HHClick|2829|"; nocase; metadata: former_category ACTIVEX; reference:url,doc.emergingthreats.net/bin/view/Main/2001624; classtype:web-application-attack; sid:2001624; rev:15; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2017_05_08;) # Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced. #alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request"; content:"|00 01 74 63 6C 73 68 2E 74 63 6C|"; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009244; classtype:bad-unknown; sid:2009244; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert udp $EXTERNAL_NET 69 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Cisco TclShell TFTP Download"; content:"|54 63 6C 53 68 65 6C 6C|"; reference:url,wwww.irmplc.com/downloads/whitepapers/Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf; reference:url,doc.emergingthreats.net/2009245; classtype:bad-unknown; sid:2009245; rev:2; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000499; classtype:string-detect; sid:2000499; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000500; classtype:string-detect; sid:2000500; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000501; classtype:string-detect; sid:2000501; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000502; classtype:string-detect; sid:2000502; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000503; classtype:string-detect; sid:2000503; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000504; classtype:string-detect; sid:2000504; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000505; classtype:string-detect; sid:2000505; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000506; classtype:string-detect; sid:2000506; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000507; classtype:string-detect; sid:2000507; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET ATTACK_RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2000508; classtype:string-detect; sid:2000508; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.strippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftppass; reference:url,doc.emergingthreats.net/bin/view/Main/2007717; classtype:trojan-activity; sid:2007717; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.strippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session,300,seconds; reference:url,doc.emergingthreats.net/bin/view/Main/2007723; classtype:trojan-activity; sid:2007723; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (StnyFtpd)"; flow:established,from_server; content:"220 StnyFtpd 0wns j0"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002809; classtype:trojan-activity; sid:2002809; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Reptile)"; flow:established,from_server; content:"220 Reptile welcomes you"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002810; classtype:trojan-activity; sid:2002810; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Hostile FTP Server Banner (Bot Server)"; flow:established,from_server; content:"220 Bot Server (Win32)"; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002811; classtype:trojan-activity; sid:2002811; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (fuckFtpd)"; flow:established,from_server; dsize:<18; content:"220 fuckFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/2009210; classtype:trojan-activity; sid:2009210; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any [21,1024:] -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (NzmxFtpd)"; flow:established,from_server; dsize:<18; content:"220 NzmxFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/2009211; classtype:trojan-activity; sid:2009211; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Download Detected"; flow:to_client,established; content:"stdapi_fs_stat"; depth:54; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009558; classtype:successful-user; sid:2009558; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process List (ps) Command Detected"; flow:to_client,established; content:"stdapi_sys_process_get_processes"; depth:65; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009559; classtype:successful-user; sid:2009559; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Getuid Command Detected"; flow:to_client,established; content:"stdapi_sys_config_getuid"; depth:65; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009560; classtype:successful-user; sid:2009560; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Process Migration Detected"; flow:to_client,established; content:"core_migrate"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009561; classtype:successful-user; sid:2009561; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter ipconfig Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_interfaces"; depth:65; threshold: type threshold, track by_src, count 2, seconds 4; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009562; classtype:successful-user; sid:2009562; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Sysinfo Command Detected"; flow:to_client,established; content:"stdapi_sys_config_sysinfo"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009563; classtype:successful-user; sid:2009563; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Route Command Detected"; flow:to_client,established; content:"stdapi_net_config_get_route"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009564; classtype:successful-user; sid:2009564; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Kill Process Command Detected"; flow:to_client,established; content:"stdapi_sys_process_kill"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009565; classtype:successful-user; sid:2009565; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Print Working Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_getwd"; depth:55; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009566; classtype:successful-user; sid:2009566; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter View Current Process ID Command Detected"; flow:to_client,established; content:"stdapi_sys_process_getpid"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009567; classtype:successful-user; sid:2009567; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Execute Command Detected"; flow:to_client,established; content:"stdapi_sys_process_execute"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009568; classtype:successful-user; sid:2009568; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Reboot/Shutdown Detected"; flow:to_client,established; content:"stdapi_sys_power_exitwindows"; depth:62; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009569; classtype:successful-user; sid:2009569; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter System Get Idle Time Command Detected"; flow:to_client,established; content:"stdapi_ui_get_idle_time"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009570; classtype:successful-user; sid:2009570; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Make Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_mkdir"; depth:55; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009571; classtype:successful-user; sid:2009571; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Remove Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_delete_dir"; depth:57; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009572; classtype:successful-user; sid:2009572; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Change Directory Command Detected"; flow:to_client,established; content:"stdapi_fs_chdir"; depth:57; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009573; classtype:successful-user; sid:2009573; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter List (ls) Command Detected"; flow:to_client,established; content:"stdapi_fs_ls"; depth:52; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009574; classtype:successful-user; sid:2009574; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter rev2self Command Detected"; flow:to_client,established; content:"stdapi_sys_config_rev2self"; depth:52; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009575; classtype:successful-user; sid:2009575; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Keyboard Detected"; flow:to_client,established; content:"stdapi_ui_enable_keyboard"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009576; classtype:successful-user; sid:2009576; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Enabling/Disabling of Mouse Detected"; flow:to_client,established; content:"stdapi_ui_enable_mouse"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009577; classtype:successful-user; sid:2009577; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File/Memory Interaction Detected"; flow:to_client,established; content:"stdapi_fs_file_expand_path"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009578; classtype:successful-user; sid:2009578; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Registry Interation Detected"; flow:to_client,established; content:"stdapi_registry_create_key"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009579; classtype:successful-user; sid:2009579; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter File Upload Detected"; flow:to_client,established; content:"core_channel_write"; depth:50; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009580; classtype:successful-user; sid:2009580; rev:2; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Channel Interaction Detected, Likely Interaction With Executable"; flow:to_client,established; content:"core_channel_interact"; depth:60; reference:url,www.nologin.org/Downloads/Papers/meterpreter.pdf; reference:url,doc.emergingthreats.net/2009651; classtype:successful-user; sid:2009651; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"|40 00 41 00 42 0043 00 44 00 6d 65 74 73 72 76 2e 64 6c 6c 00 49 6e 69 74 00 5f 52 65 66 6c 65 63 74 69 76 65 4c 6f 61|"; reference:url,doc.emergingthreats.net/2010454; classtype:successful-admin; sid:2010454; rev:3; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE c99shell phpshell detected"; flow:established,from_server; content:"c99shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007652; classtype:web-application-activity; sid:2007652; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Weak Netbios Lanman Auth Challenge Detected"; flow:from_server; content:"|ff 53 4d 42|"; content:"|00 11 22 33 44 55 66 77 88|"; reference:url,doc.emergingthreats.net/bin/view/Main/2006417; classtype:policy-violation; sid:2006417; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET ATTACK_RESPONSE FTP CWD to windows system32 - Suspicious"; flow:established,to_server; content:"CWD C|3a|\\WINDOWS\\system32\\"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008556; classtype:trojan-activity; sid:2008556; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection"; flow:established,to_client; content:"#|0d 0a|#|20|This|20|is|20|a|20|sample|20|HOSTS|20|file|20|used|20|by|20|Microsoft|20|TCP/IP|20|for|20|Windows.|0d 0a|#|0d 0a|#|20|This|20|file|20|contains|20|the|20|mappings|20|of|20|IP|20|addresses|20|to|20|host|20|names."; reference:url,doc.emergingthreats.net/bin/view/Main/2008559; classtype:trojan-activity; sid:2008559; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From|3a| anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent|3a| PHP"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001628; classtype:web-application-activity; sid:2001628; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ATTACK_RESPONSE r57 phpshell source being uploaded"; flow:established,to_server; content:"/* (c)oded by 1dt.w0lf"; content:"/* RST/GHC http"; distance:0; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003536; classtype:web-application-activity; sid:2003536; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE r57 phpshell footer detected"; flow:established,from_server; content:"r57shell - http-shell by RST/GHC"; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453096755; reference:url,doc.emergingthreats.net/bin/view/Main/2003535; classtype:web-application-activity; sid:2003535; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE x2300 phpshell detected"; flow:established,from_server; content:"x2300 Locus7Shell"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007651; classtype:web-application-activity; sid:2007651; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE RFI Scanner detected"; flow:established,from_server; content:"RFI Scanner"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007653; classtype:web-application-activity; sid:2007653; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE C99 Modified phpshell detected"; flow:established,from_server; content:"C99 Modified"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007654; classtype:web-application-activity; sid:2007654; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE lila.jpg phpshell detected"; flow:established,from_server; content:"CMD PHP"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007655; classtype:web-application-activity; sid:2007655; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE ALBANIA id.php detected"; flow:established,from_server; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007656; classtype:web-application-activity; sid:2007656; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Mic22 id.php detected"; flow:established,from_server; content:"Mic22"; reference:url,www.rfxn.com/vdb.php; reference:url,doc.emergingthreats.net/bin/view/Main/2007657; classtype:web-application-activity; sid:2007657; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET 1024: -> any 1024: (msg:"ET ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,from_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:set,ET.strippedftpuser; reference:url,doc.emergingthreats.net/bin/view/Main/2007715; classtype:trojan-activity; sid:2007715; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (WinFtpd)"; flow:established,from_server; dsize:<18; content:"220 WinFtpd"; depth:11; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007725; classtype:trojan-activity; sid:2007725; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any 1024: -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2007726; classtype:trojan-activity; sid:2007726; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt"; flow:established,to_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009149; classtype:web-application-activity; sid:2009149; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Related Activity"; flow:established,from_server; content:"public string Password|3D 22|21232f297a57a5a743894a0e4a801fc3|22 3B|"; nocase; reference:url,doc.emergingthreats.net/2009147; classtype:web-application-activity; sid:2009147; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible ASPXSpy Request"; flow:established,from_server; content:"Thanks Snailsor,FuYu,BloodSword"; reference:url,doc.emergingthreats.net/2009146; classtype:web-application-activity; sid:2009146; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET ATTACK_RESPONSE Metasploit/Meterpreter - Sending metsrv.dll to Compromised Host"; flow:established; content:"metsrv.dll|00|MZ"; fast_pattern; depth:13; content:"!This program cannot be run in DOS mode."; distance:75; within:40; reference:url,doc.emergingthreats.net/2009581; classtype:successful-admin; sid:2009581; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2010_07_30, updated_at 2016_07_01;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (warFTPd)"; flow:established,from_server; content:"220 "; content:"--warFTPd "; depth:40; nocase; reference:url,www.warftp.org; reference:url,doc.emergingthreats.net/bin/view/Main/2003464; classtype:trojan-activity; sid:2003464; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any 21 -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Unusual FTP Server Banner (freeFTPd)"; flow:established,from_server; content:"220 "; content:"--freeFTPd "; depth:40; nocase; reference:url,www.freeftp.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003465; classtype:trojan-activity; sid:2003465; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ipconfig Response Detected"; flow:from_server,established; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; offset:35; depth:55; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009676; classtype:successful-recon-limited; sid:2009676; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system"; flow:established; dsize:<110; content:"Microsoft Windows "; depth:20; content:"Copyright 1985-20"; distance:0; content:"Microsoft Corp"; distance:0; content:"|0a 0a|"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2008953; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Windows 7 CMD Shell from Local System"; flow:established; dsize:<160; content:"Microsoft Windows [Version "; depth:30; content:"Copyright (c)"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2012690; rev:1; metadata:created_at 2011_04_17, updated_at 2011_04_17;) #alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:2101882; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:2101883; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:2101885; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:2101886; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:2101666; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:2101200; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command completed"; flow:established; content:"Command completed"; nocase; reference:bugtraq,1806; classtype:bad-unknown; sid:2100494; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE command error"; flow:established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:2100495; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE file copied ok"; flow:established; content:"1 file|28|s|29| copied"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:2100497; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"GPL ATTACK_RESPONSE isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2102043; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL ATTACK_RESPONSE del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; nocase; classtype:web-application-attack; sid:2101008; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL ATTACK_RESPONSE directory listing"; flow:to_server,established; uricontent:"/ServerVariables_Jscript.asp"; nocase; reference:nessus,10573; classtype:web-application-attack; sid:2101009; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE directory listing"; flow:established; content:"Volume Serial Number"; classtype:bad-unknown; sid:2101292; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; within:25; classtype:bad-unknown; sid:2101884; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; reference:url,doc.emergingthreats.net/2009345; classtype:attempted-recon; sid:2009345; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack"; flow:from_server,established; content:"401"; http_stat_code; threshold:type both, track by_dst, count 30, seconds 60; reference:url,doc.emergingthreats.net/2009346; classtype:attempted-recon; sid:2009346; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Backdoor reDuh http initiate"; flow:to_server,established; content:"?action=checkPort&port="; http_uri; content:"Java/"; http_user_agent; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011667; classtype:trojan-activity; sid:2011667; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_user_agent; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response"; flow:from_server,established; file_data; content:"Windows IP Configuration"; content:"Ethernet adapter Local Area Connection"; distance:8; within:40; reference:url,en.wikipedia.org/wiki/Ipconfig; reference:url,doc.emergingthreats.net/2009675; classtype:successful-recon-limited; sid:2009675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern:only; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:2; metadata:created_at 2012_12_05, updated_at 2012_12_05;) alert tcp any any -> any any (msg:"ET ATTACK_RESPONSE Net User Command Response"; flow:established; content:"User accounts for |5C 5C|"; fast_pattern; content:"-------------------------------------------------------------------------------"; distance:0; classtype:successful-user; sid:2017025; rev:3; metadata:created_at 2013_06_17, updated_at 2013_06_17;) alert http any any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Non-Local Burp Proxy Error"; flow:established,to_client; content:"502"; http_stat_code; content:"Bad gateway"; http_stat_msg; file_data; content:"Burp proxy error|3A 20|"; within:18; reference:url,portswigger.net/burp/proxy.html; classtype:successful-admin; sid:2017148; rev:3; metadata:created_at 2013_07_15, updated_at 2013_07_15;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE python shell spawn attempt"; flow:established,to_client; content:"pty|2e|spawn|2822|/bin/sh|2229|"; depth:64; classtype:trojan-activity; sid:2017317; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;) alert tcp $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible MS CMD Shell opened on local system 2"; dsize:<200; content:"Microsoft Windows "; depth:40; content:"[Version"; distance:0; within:10; content:"Copyright (c) 2009"; distance:0; content:"Microsoft Corp"; distance:0; reference:url,doc.emergingthreats.net/bin/view/Main/2008953; classtype:successful-admin; sid:2018392; rev:1; metadata:created_at 2014_04_15, updated_at 2014_04_15;) alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Output of id command from HTTP server"; flow:established; content:"uid="; pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5; pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; classtype:bad-unknown; sid:2019284; rev:3; metadata:created_at 2014_09_26, updated_at 2014_09_26;) alert udp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible IPMI 2.0 RAKP Remote SHA1 Password Hash Retreival RAKP message 2 status code Unauthorized Name"; content:"|06 13|"; offset:4; depth:2; content:"|0d|"; distance:11; within:1; classtype:protocol-command-decode; sid:2017121; rev:2; metadata:created_at 2013_07_09, updated_at 2013_07_09;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Powershell Banner Outbound"; flow:established; content:"Windows PowerShell"; content:"Copyright |28|C|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020084; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft CScript Banner Outbound"; flow:established; content:"Windows Script Host Version"; content:"Copyright |28|C|29|"; distance:0; content:"Microsoft Corp"; distance:0; classtype:successful-admin; sid:2020085; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft WMIC Prompt Outbound"; flow:established; content:"wmic|3a|root|5c|cli>"; classtype:successful-admin; sid:2020086; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Netsh Firewall Disable Output Outbound"; flow:established; content:"netsh firewall|22| is deprecated|3b|"; content:"use |22|netsh advfirewall"; distance:0; content:"Ok."; distance:0; classtype:successful-admin; sid:2020087; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SysInternals sc.exe Output Outbound"; flow:established; content:"SERVICE_NAME|3a|"; content:"TYPE"; distance:0; content:"SERVICE_EXIT_CODE"; distance:0; classtype:successful-admin; sid:2020088; rev:1; metadata:created_at 2015_01_05, updated_at 2015_01_05;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mysql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020507; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL syntax"; fast_pattern; content:"MySQL"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020506; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlException (0x"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020508; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid MySQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020509; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"MySqlClient."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020510; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"com.mysql.jdbc.exceptions"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020511; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"PostgreSQL"; fast_pattern; content:"ERROR"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020512; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"Wpg_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020513; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"valid PostgreSQL result"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020514; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Npgsql."; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020515; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.postgresql.util.PSQLException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020516; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE PostgreSQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ERROR|3a 20 20|syntax error at or near"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020517; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Driver"; fast_pattern; pcre:"/^ SQL[-_ ]Server/R"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020518; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"OLEDB"; fast_pattern; content:"|20|SQL Server"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020519; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"mssql_"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020521; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"System.Data.SqlClient."; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020523; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; fast_pattern; content:"Roadhouse.Cms"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020524; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Microsoft Access"; fast_pattern; pcre:"/^ \d+ Driver/R"; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020525; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"JET Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020526; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft Access error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Access Database Engine"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020527; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"ORA-"; fast_pattern:only; pcre:"/ORA-\d{4}/"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020528; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020529; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Oracle"; fast_pattern; content:"Driver"; distance:0; within:12; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020530; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"oci_"; distance:0; fast_pattern; pcre:"/Warning.*\Woci_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020531; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Oracle error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ora_"; fast_pattern; distance:0; pcre:"/Warning.*\Wora_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020532; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"CLI Driver"; fast_pattern:only; pcre:"/CLI Driver.*DB2/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020533; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"DB2 SQL error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020534; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE DB2 error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"bdb2_"; fast_pattern:only; pcre:"/bdb2_\w+\(/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020535; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Informix error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception"; content:"Informix"; fast_pattern; pcre:"/Exception.*Informix/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020536; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020537; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Firebird error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Dynamic SQL Error"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020538; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite/JDBCDriver"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020539; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQLite.Exception"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020540; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"System.Data.SQLite.SQLiteException"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020541; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"SQLite3|3a 3a|"; fast_pattern; distance:0; pcre:"/Warning.*SQLite3::/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020543; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[SQLITE_ERROR]"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020544; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"SQL error"; fast_pattern; content:"POS("; distance:0; pcre:"/SQL error.*POS\([0-9]+\)/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020545; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SAP MaxDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"maxdb"; fast_pattern; distance:0; pcre:"/Warning.*maxdb/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020546; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sybase"; fast_pattern; distance:0; pcre:"/i?Warning.*sybase/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020547; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020548; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Sybase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Sybase Server message"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020549; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"ingres_"; fast_pattern; distance:0; pcre:"/Warning.*ingres_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020550; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE SQLite error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Warning"; content:"sqlite_"; fast_pattern; distance:0; pcre:"/Warning.*sqlite_/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020542; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres SQLSTATE"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020551; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Ingres error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Ingres"; fast_pattern; content:"Driver"; distance:0; pcre:"/Ingres\W.*Driver/m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020552; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Frontbase error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"Exception (condition )"; content:". Transaction rollback."; fast_pattern; distance:0; pcre:"/Exception (condition )\d+\. Transaction rollback\./m"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020553; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HSQLDB error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"org.hsqldb.jdbc"; fast_pattern:only; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020554; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; content:"500 Internal Server Error"; file_data; content:"OLE DB Provider for SQL Server"; fast_pattern:only; pcre:"/SQL Server.*?error \x27[0-9a-f]{8}/mi"; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020522; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Microsoft SQL error in HTTP response, possible SQL injection point"; flow:from_server,established; file_data; content:"[Microsoft]"; content:"[ODBC SQL Server Driver]"; fast_pattern; distance:0; threshold:type both,track by_src,count 1,seconds 60; classtype:web-application-attack; sid:2020520; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Datacenter, tag SQL_Injection, signature_severity Major, created_at 2015_02_24, updated_at 2016_07_01;) alert http $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (BSD style)"; flow:established,from_server; file_data; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003071; classtype:successful-recon-limited; sid:2003071; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via HTTP (linux style)"; flow:established,from_server; file_data; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002034; classtype:successful-recon-limited; sid:2002034; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (linux style)"; flow:established,to_server; content:"root|3a|x|3a|0|3a|0|3a|root|3a|/root|3a|/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003149; classtype:successful-recon-limited; sid:2003149; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET ATTACK_RESPONSE Possible /etc/passwd via SMTP (BSD style)"; flow:established,to_server; content:"root|3a|*|3a|0|3a|0|3a|"; nocase; content:"|3a|/root|3a|/bin"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003150; classtype:successful-recon-limited; sid:2003150; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Matahari client"; flow:to_server,established; content:"Accept|2d|Encoding|3a 20|identity|0d 0a|"; http_header; content:"Next|2d|Polling"; http_header; fast_pattern:only; content:"Content|2d|Salt|3a| "; http_header; pcre:"/Content\x2dSalt\x3a\x20[0-9\.\-]+\x0d\x0a/Hi"; reference:url,doc.emergingthreats.net/2010795; classtype:trojan-activity; sid:2010795; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode"; flow:to_server; content:"|ff ff ff|tcp/CONNECT/3/"; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}\/\d+\x00$/Ri"; reference:url,raw.githubusercontent.com/exodusintel/disclosures/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022819; rev:1; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Possible BeEF HTTP Headers Inbound"; flow:established,from_server; content:"Content-Type|3a 20|text/javascript|0d 0a|Server|3a 20|Apache/2.2.3 (CentOS)|0d 0a|Pragma|3a|"; fast_pattern; http_header; depth:69; content:"|0d 0a|Expires|3a 20|0|0d 0a|"; http_header; content:!"Set-Cookie|3a 20|"; content:!"X-Powered-By|3a 20|"; http_header; metadata: former_category ATTACK_RESPONSE; classtype:attempted-user; sid:2024421; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_23, performance_impact Moderate, updated_at 2017_06_23;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE 401TRG Perl DDoS IRCBot File Download"; flow:established,from_server; content:"|6d 79 20 24 70 72 6f 63 65 73 73 20 3d 20 24 72 70 73 5b 72 61 6e 64 20 73 63 61 6c 61 72 20 40 72 70 73 5d 3b|"; metadata: former_category ATTACK_RESPONSE; classtype:trojan-activity; sid:2024977; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_11_07, malware_family webshell, performance_impact Moderate, updated_at 2017_11_07;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE webr00t WebShell Access"; flow:established,to_server; content:"/?webr00t="; http_uri; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2013/11/case-study-analyzing-a-wordpress-attack-dissecting-the-webr00t-cgi-shell-part-i.html; classtype:trojan-activity; sid:2017701; rev:4; metadata:created_at 2013_11_08, updated_at 2017_11_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET ATTACK_RESPONSE PHP script in OptimizePress Upload Directory Possible WebShell Access"; flow:to_server,established; content:"/wp-content/uploads/optpress/images_"; http_uri; fast_pattern:16,20; content:".php"; http_uri; pcre:"/\/wp-content\/uploads\/optpress\/images\_(?:comingsoon|lncthumbs|optbuttons)\/.*?\.php/Ui"; metadata: former_category CURRENT_EVENTS; reference:url,blog.sucuri.net/2013/12/wordpress-optimizepress-theme-file-upload-vulnerability.html; classtype:attempted-admin; sid:2017854; rev:3; metadata:created_at 2013_12_13, updated_at 2017_11_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Linksys Router Returning Device Settings To External Source"; flow:established,from_server; file_data; content:""; content:""; content:""; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633; classtype:attempted-admin; sid:2018136; rev:3; metadata:created_at 2014_02_13, updated_at 2017_11_28;) alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE Zone-H.org defacement notification"; flow:established,to_server; content:"POST"; http_method; content:"/notify/"; http_uri; pcre:"/\/notify\/(single|mass)$/iU"; content:"defacer|3d|"; http_client_body; depth:8; fast_pattern; metadata: former_category ATTACK_RESPONSE; reference:url,doc.emergingthreats.net/bin/view/Main/2001616; classtype:trojan-activity; sid:2001616; rev:14; metadata:created_at 2010_07_30, updated_at 2017_12_20;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS certificate"; flow:from_server,established; content:"|A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00|"; fast_pattern:only; content:"|16 03 03|"; pcre:"/^..\x0B.{9}\x30\x82..\x30\x82..\xA0\x03\x02\x01\x02\x02(?:\x09.{9}|\x08.{8})/Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30|"; within:16; pcre:"/^.\x31.\x30.\x06\x03\x55\x04\x03\x0C.([a-z]{2,9})\x30.\x17\x0D[0-9]{12}Z\x17\x0D[0-9]{12}Z\x30.\x31.\x30.\x06\x03\x55\x04\x03\x0C.\g{1}\x30\x82../Rs"; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; pcre:"/^...\x30\x82..\x02\x82...{256,257}/Rs"; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; within:36; content:!"|06|ubuntu"; content:!"|04|mint"; reference:url,blog.didierstevens.com/2015/05/11/detecting-network-traffic-from-metasploits-meterpreter-reverse-http-module; classtype:trojan-activity; sid:2021178; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2015_06_03, updated_at 2017_01_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:""; content:" - WSO "; fast_pattern; distance:0; content:""; distance:0; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015905; rev:3; metadata:created_at 2012_11_21, updated_at 2018_01_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE WSO - WebShell Activity - POST structure"; flow:established,to_server; content:"POST"; http_method; content:"&c="; http_client_body; content:"&p1="; http_client_body; content:"&p2="; http_client_body; content:"&p3="; http_client_body; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/P"; metadata: former_category CURRENT_EVENTS; classtype:attempted-user; sid:2015906; rev:3; metadata:created_at 2012_11_21, updated_at 2018_01_08;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE passwd file Outbound from WEB SERVER Linux"; flow:established,from_server; file_data; content:"root:x:0:0:root:/root:/bin/"; within:27; classtype:successful-recon-limited; sid:2025879; rev:1; metadata:created_at 2018_07_20, updated_at 2018_07_20;) # Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced. alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Facebook Chat using XMPP"; flow:to_server,established; content:"chat.facebook.com"; nocase; content:"jabber|3A|client"; nocase; distance:9; within:13; threshold: type limit, track by_src, count 1, seconds 60; reference:url,www.facebook.com/sitetour/chat.php; reference:url,doc.emergingthreats.net/2010819; classtype:policy-violation; sid:2010819; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Client Login Packet"; flowbits:isset,ET.gadu.welcome; flow:established,to_server; dsize:<50; content:"|15 00 00 00|"; depth:4; flowbits:set,ET.gadu.loginsent; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008298; classtype:policy-violation; sid:2008298; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login Failed Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; dsize:8; content:"|09 00 00 00 00 00 00 00|"; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008300; classtype:policy-violation; sid:2008300; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Server Available Status Packet"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|02 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008301; classtype:policy-violation; sid:2008301; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Send Message"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|0b 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008302; classtype:policy-violation; sid:2008302; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Receive Message"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|0a 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008303; classtype:policy-violation; sid:2008303; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat Keepalive PING"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|08 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008304; classtype:policy-violation; sid:2008304; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Keepalive PONG"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|07 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008305; classtype:policy-violation; sid:2008305; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Request"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|01 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008306; classtype:policy-violation; sid:2008306; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET CHAT GaduGadu Chat File Send Details"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008307; classtype:policy-violation; sid:2008307; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Accept"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|06 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008308; classtype:policy-violation; sid:2008308; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat File Send Begin"; flowbits:isset,ET.gadu.loggedin; flow:established,from_server; content:"|03 00 00 00|"; depth:4; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008309; classtype:policy-violation; sid:2008309; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Invisible"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|001900130005|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001801; classtype:policy-violation; sid:2001801; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (1)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|000E00010011|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001802; classtype:policy-violation; sid:2001802; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Status Change (2)"; flow: from_client,established; content:"|2A02|"; depth: 2; content:"|00120001001E|"; offset: 4; depth: 6; reference:url,doc.emergingthreats.net/2001803; classtype:policy-violation; sid:2001803; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"ET CHAT ICQ Login"; flow: from_client,established; content:"|2A01|"; depth: 2; content:"|00010001|"; offset: 8; depth: 4; reference:url,doc.emergingthreats.net/2001804; classtype:policy-violation; sid:2001804; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT ICQ Message"; flow: established; content:"|2A02|"; depth: 2; content:"|000400060000|"; offset: 6; depth: 6; reference:url,doc.emergingthreats.net/2001805; classtype:policy-violation; sid:2001805; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google Talk (Jabber) Client Login"; flow:established,to_server; content:"gmail.com"; nocase; content:"jabber"; nocase; distance:9; within:6; reference:url,talk.google.com; reference:url,www.xmpp.org; reference:url,doc.emergingthreats.net/2002327; classtype:policy-violation; sid:2002327; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer request"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; distance: 0; content:"text/x-msmsgsinvite"; nocase; distance: 0; content:"Application-Name|3A|"; content:"File Transfer"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001241; classtype:policy-violation; sid:2001241; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer accept"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance: 1; reference:url,doc.emergingthreats.net/2001242; classtype:policy-violation; sid:2001242; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT MSN file transfer reject"; flow: established; content:"MSG "; depth: 4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance: 0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance: 0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; nocase; distance: 0; reference:url,doc.emergingthreats.net/2001243; classtype:policy-violation; sid:2001243; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN status change"; flow:established,to_server; content:"CHG "; depth:55; reference:url,doc.emergingthreats.net/2002192; classtype:policy-violation; sid:2002192; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM voicechat"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|J"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001254; classtype:policy-violation; sid:2001254; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM ping"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 12|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001255; classtype:policy-violation; sid:2001255; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference invitation"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 18|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001256; classtype:policy-violation; sid:2001256; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM conference logon success"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 19|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001257; classtype:policy-violation; sid:2001257; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference message"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 1D|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001258; classtype:policy-violation; sid:2001258; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM Unavailable Status"; flow: to_server,established; content:"|59 47 00 0b 00 00 00 00 00 12 00 00 00 00|"; depth: 55; reference:url,doc.emergingthreats.net/2001427; classtype:policy-violation; sid:2001427; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM message"; flow: established; content:"YMSG"; depth: 4; reference:url,doc.emergingthreats.net/2001260; classtype:policy-violation; sid:2001260; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference offer invitation"; flow: to_server,established; content:"YMSG"; nocase; depth: 4; content:"|00|P"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001262; classtype:policy-violation; sid:2001262; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM conference request"; flow: to_server,established; content:" $HOME_NET any (msg:"ET CHAT Yahoo IM conference watch"; flow: from_server,established; content:"|0D 00 05 00|"; depth: 4; reference:url,doc.emergingthreats.net/2001264; classtype:policy-violation; sid:2001264; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; reference:url,doc.emergingthreats.net/2000355; classtype:misc-activity; sid:2000355; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Known SSL traffic on port 5222 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003031; classtype:not-suspicious; sid:2003031; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 5223 (msg:"ET CHAT Known SSL traffic on port 5223 (Jabber) being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert; flowbits:set,BS.SSL.Known.Port; reference:url,doc.emergingthreats.net/2003032; classtype:not-suspicious; sid:2003032; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Yahoo IM Client Install"; flow: to_server,established; uricontent:"/ycontent/stats.php?version="; nocase; uricontent:"EVENT=InstallBegin"; nocase; reference:url,doc.emergingthreats.net/2002659; classtype:policy-violation; sid:2002659; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"ET CHAT Google IM traffic Jabber client sign-on"; flow:to_server; content:"gmail.com"; nocase; content:"jabber.org"; nocase; content:"version="; reference:url,www.google.com/talk; reference:url,doc.emergingthreats.net/2002334; classtype:policy-violation; sid:2002334; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"ET CHAT Possible MSN Messenger File Transfer"; flow:established,from_client; content:"x-msnmsgrp2p"; nocase; content:"appid|3a|"; nocase; pcre:"/appid\x3a\s+2/i"; reference:url,www.hypothetic.org/docs/msn/client/file_transfer.php; reference:url,doc.emergingthreats.net/2008289; classtype:policy-violation; sid:2008289; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Skype VOIP Checking Version (Startup)"; flow: to_server,established; content:"/ui/"; http_uri; nocase; content:"/getlatestversion?ver="; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001595; classtype:policy-violation; sid:2001595; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT General MSN Chat Activity"; flow: established; content:"Content-Type|3A|"; http_header; content:"application/x-msn-messenger"; http_header; reference:url,www.hypothetic.org/docs/msn/general/http_examples.php; reference:url,doc.emergingthreats.net/2009375; classtype:policy-violation; sid:2009375; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (settings)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/settings.php"; http_uri; content:"facebook.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010786; classtype:policy-violation; sid:2010786; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CHAT Facebook Chat (send message)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/send.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010784; classtype:policy-violation; sid:2010784; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:2101990; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; threshold:type limit, track by_src, count 1, seconds 60; classtype:policy-violation; sid:2101991; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; classtype:policy-violation; sid:2101986; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; classtype:policy-violation; sid:2101988; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:2101989; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:2101633; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"GPL CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:2101632; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"GPL CHAT AIM login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 17 00 06|"; within:8; distance:4; classtype:policy-violation; sid:2101631; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:2100540; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; http_header; classtype:policy-violation; sid:2100541; rev:13; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC Channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; fast_pattern:only; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101729; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC CHAT chat"; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101640; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"GPL CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; depth:8; nocase; content:" |3A|.DCC SEND"; nocase; flowbits:set,is_proto_irc; classtype:policy-violation; sid:2101639; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC NICK command"; flow:to_server,established; content:"NICK|20|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002024; classtype:misc-activity; sid:2002024; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC JOIN command"; flow:to_server,established; content:"JOIN|2023|"; nocase; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002025; classtype:misc-activity; sid:2002025; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER command"; flow:to_server,established; content:"USER|20|"; nocase; content:"|203a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002023; classtype:misc-activity; sid:2002023; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PRIVMSG command"; flow:established,to_server; content:"PRIVMSG|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002026; classtype:misc-activity; sid:2002026; rev:21; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any 6666:7000 -> any any (msg:"ET CHAT IRC PING command"; flow:from_server,established; content:"PING|20|"; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002027; classtype:misc-activity; sid:2002027; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2102458; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:" $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2102452; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2102459; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2102455; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2102461; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2102456; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2102451; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2102454; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2102453; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_user_agent; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Facebook Chat (buddy list)"; flow:established,to_server; content:"POST"; http_method; content:"/ajax/chat/buddy_list.php"; http_uri; content:"facebook.com"; http_header; reference:url,doc.emergingthreats.net/2010785; classtype:policy-violation; sid:2010785; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT MSN IM Poll via HTTP"; flow: established,to_server; content:"/gateway/gateway.dll?Action=poll&SessionID="; http_uri; nocase; threshold: type limit, track by_src, count 10, seconds 3600; reference:url,doc.emergingthreats.net/2001682; classtype:policy-violation; sid:2001682; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC USER Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; metadata: former_category CHAT; classtype:misc-activity; sid:2025066; rev:1; metadata:created_at 2013_07_12, updated_at 2017_11_28;) alert tcp any any -> any !6666:7000 (msg:"ET CHAT IRC USER Off-port Likely bot with 0 0 colon checkin"; flow:to_server,established; content:"USER|20|"; nocase; content:" 0 0 |3a|"; within:40; content:"|0a|"; within:40; flowbits:set,is_proto_irc; metadata: former_category CHAT; classtype:misc-activity; sid:2025067; rev:1; metadata:created_at 2013_07_12, updated_at 2017_11_28;) alert tcp any any -> any 6666:7000 (msg:"ET CHAT IRC PONG response"; flow:from_client,established; content:"PONG|20|"; depth:5; flowbits:set,is_proto_irc; reference:url,doc.emergingthreats.net/2002028; classtype:misc-activity; sid:2002028; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Login OK Packet"; flowbits:isset,ET.gadu.loginsent; flow:established,from_server; content:"|03 00 00 00|"; depth:4; byte_jump:4,0,relative,little,post_offset -1; isdataat:!2,relative; flowbits:set,ET.gadu.loggedin; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008299; classtype:policy-violation; sid:2008299; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"ET CHAT Yahoo IM file transfer request"; flow: established; content:"YMSG"; nocase; depth: 4; content:"|00 dc|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001259; classtype:policy-violation; sid:2001259; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg:"ET CHAT Skype Bootstrap Node (udp)"; threshold: type both, count 5, track by_src, seconds 120; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2003022; classtype:policy-violation; sid:2003022; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outoing Message"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Traffic"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Outgoing Auth"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"GPL CHAT Jabber/Google Talk Log Out"; flow:to_server,established; content:" $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Startup"; flow: established,to_server; content:"google.com"; nocase; content:"jabber|3A|client"; nocase; threshold: type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:2100877; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Logon"; flow:to_server,established; content:" $EXTERNAL_NET any (msg:"GPL CHAT Google Talk Version Check"; flow: established,to_server; content:"/googletalk/google-talk-versioncheck.txt?"; http_uri; nocase; classtype:policy-violation; sid:2100876; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Logon Success"; flow:to_client,established; content:" $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Incoming Message"; flow:to_client,established; content:" $EXTERNAL_NET any (msg:"ET CHAT Gadu-Gadu IM Login Server Request"; flow:established,to_server; content:"/appsvc/appmsg"; http_uri; nocase; content:".asp"; http_uri; nocase; content:"fmnumber="; http_uri; content:"&version="; http_uri; content:"&fmt="; http_uri; content:"appmsg.gadu-gadu."; http_host; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008295; classtype:policy-violation; sid:2008295; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CHAT Gadu-Gadu Chat Client Checkin via HTTP"; flow:established,to_server; content:"/appsvc/appmsg"; nocase; http_uri; content:"fmnumber="; nocase; http_uri; content:"&version="; nocase; http_uri; content:"&fmt="; nocase; http_uri; content:"&lastmsg="; http_uri; nocase; reference:url,doc.emergingthreats.net/2007866; classtype:trojan-activity; sid:2007866; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $EXTERNAL_NET 8074 -> $HOME_NET any (msg:"ET CHAT GaduGadu Chat Server Welcome Packet"; flow:established,from_server; dsize:12; content:"|01 00 00 00|"; depth:4; flowbits:set,ET.gadu.welcome; metadata: former_category CHAT; reference:url,piotr.trzcionkowski.pl/default.asp?load=/programy/pppgg_protokol.html; reference:url,doc.emergingthreats.net/2008297; classtype:policy-violation; sid:2008297; rev:5; metadata:created_at 2010_07_30, updated_at 2017_12_11;) # Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced. #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malvertising drive by kit encountered - Loading..."; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Loading...
"; nocase; reference:url,doc.emergingthreats.net/2011223; classtype:bad-unknown; sid:2011223; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SWF served from /tmp/ "; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".swf"; http_uri; pcre:"/\/tmp\/[^\/]+\.swf$/U"; classtype:bad-unknown; sid:2011970; rev:1; metadata:created_at 2010_11_23, updated_at 2010_11_23;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neosploit Toolkit download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GNH11.exe"; http_uri; nocase; reference:url,www.malwareurl.com/listing.php?domain=piadraspgdw.com; reference:url,labs.m86security.com/2011/01/shedding-light-on-the-neosploit-exploit-kit; classtype:trojan-activity; sid:2012333; rev:3; metadata:created_at 2011_02_22, updated_at 2011_02_22;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:trojan-activity; sid:2012518; rev:2; metadata:created_at 2011_03_17, updated_at 2011_03_17;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png"; flow:established,to_server; content:"/images/WindowsLive.png"; http_uri; depth:23; classtype:bad-unknown; sid:2012529; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Landing Page"; flow:established,from_server; content:"MWL"; classtype:bad-unknown; sid:2012530; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site blt .png"; flow:established,to_server; content:"/images/blt"; http_uri; depth:11; content:".png"; http_uri; within:6; classtype:bad-unknown; sid:2012531; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download"; flow:established,to_server; content:"/MRT/update/"; http_uri; depth:12; content:".exe"; http_uri; classtype:bad-unknown; sid:2012532; rev:2; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2; metadata:created_at 2011_03_30, updated_at 2011_03_30;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks"; flow:established,from_server; content:""; within:100; reference:url,malwaresurvival.net/tag/lizamoon-com/; classtype:web-application-attack; sid:2012614; rev:5; metadata:created_at 2011_03_31, updated_at 2011_03_31;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php"; flow:established,to_server; content:"GET"; http_method; content:"/ur.php"; http_uri; content:"GET /ur.php "; depth:12; classtype:trojan-activity; sid:2012625; rev:3; metadata:created_at 2011_04_04, updated_at 2011_04_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Paypal Phishing victim POSTing data"; flow:established,to_server; content:"POST"; http_method; content:"usr="; content:"&pwd="; content:"&name-on="; content:"&cu-on="; content:"&how2-on="; fast_pattern; classtype:bad-unknown; sid:2012630; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential Paypal Phishing Form Attachment"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"Restore Your Account"; distance:0; nocase; content:"paypal"; distance:0; nocase; content:"form.php|22| method=|22|post|22|"; nocase; distance:0; classtype:bad-unknown; sid:2012632; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;) #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Potential ACH Transaction Phishing Attachment"; flow:established,to_server; content:"ACH transaction"; nocase; content:".pdf.exe"; nocase; classtype:bad-unknown; sid:2012635; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2011_04_05, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for hostile binary"; flow:established,to_server; content:"&|20|HTTP/1.1|0d 0a|User-A"; fast_pattern; content:".php?height="; http_uri; content:"|20|Java/"; http_header; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/U"; classtype:trojan-activity; sid:2012644; rev:3; metadata:created_at 2011_04_06, updated_at 2011_04_06;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious JAR olig"; flow:established,from_server; content:"|00 00|META-INF/PK|0a|"; fast_pattern; content:"|00|olig/"; classtype:trojan-activity; sid:2012646; rev:3; metadata:created_at 2011_04_06, updated_at 2011_04_06;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2; metadata:created_at 2011_04_13, updated_at 2011_04_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile"; flow:established,from_server; flowbits:isset,OLE.CompoundFile; content:"S|00|W|00|F|00|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; reference:url,www.adobe.com/support/security/advisories/apsa11-02.html; reference:cve,2011-0611; classtype:attempted-user; sid:2012622; rev:5; metadata:created_at 2011_03_31, updated_at 2011_03_31;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Redirector to Exploit Page /in/rdrct/rckt/?"; flow:established,to_server; content:"/in/rdrct/rckt/?"; http_uri; classtype:attempted-user; sid:2012731; rev:2; metadata:created_at 2011_04_28, updated_at 2011_04_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown .ru Exploit Redirect Page"; flow:established,to_server; content:"people/?"; http_uri; content:"&top="; http_uri; content:".ru|0d 0a|"; http_header; classtype:bad-unknown; sid:2012732; rev:2; metadata:created_at 2011_04_28, updated_at 2011_04_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, updated_at 2011_06_07;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit from /Home/games/ initial landing"; flow:established,to_server; content:"/Home/games/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013025; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit kit mario.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/mario.jar"; http_uri; classtype:trojan-activity; sid:2013024; rev:3; metadata:created_at 2011_06_13, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Java/PDF Exploit kit initial landing"; flow:established,to_server; content:"/2fdp.php?f="; http_uri; classtype:trojan-activity; sid:2013027; rev:3; metadata:created_at 2011_06_13, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4; metadata:created_at 2011_06_16, updated_at 2011_06_16;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sidename.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"/sidename.js\">"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013061; rev:3; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_06_22, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4; metadata:created_at 2011_06_17, updated_at 2011_06_17;) #alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS cssminibar.js Injected Script Served by Local WebServer"; flow:established,from_server; content:"cssminibar.js|22|>"; nocase; fast_pattern:only; reference:url,blog.armorize.com/2011/06/mass-meshing-injection-sidenamejs.html; classtype:web-application-attack; sid:2013192; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Injected Credit Card Fraud Malvertisement Script"; flow:established,to_client; content:"|3C|script|3E|ba|28 27|Windows.class|27 2C 27|Windows.jar|27 29 3B 3C 2F|script|3E|"; nocase; reference:url,blogs.paretologic.com/malwarediaries/index.php/2011/07/06/stolen-credit-cards-site-injected-with-malware/; classtype:misc-activity; sid:2013244; rev:2; metadata:created_at 2011_07_11, updated_at 2011_07_11;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - flickr.com.* "; content:"|05|flickr|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013353; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - picasa.com.* "; content:"|06|picasa|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013354; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - blogger.com.* "; content:"|07|blogger|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013355; rev:3; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - wordpress.com.* "; content:"|09|wordpress|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013357; rev:1; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - img.youtube.com.* "; content:"|03|img|07|youtube|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013358; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) #alert udp !$DNS_SERVERS any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Wordpress possible Malicious DNS-Requests - upload.wikimedia.com.* "; content:"|06|upload|09|wikimedia|03|com"; nocase; content:!"|00|"; within:1; reference:url,markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/; reference:url,www.us-cert.gov/current/index.html#wordpress_themes_vulnerability; reference:url,blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SucuriSecurity+%28Sucuri+Security%29; classtype:web-application-attack; sid:2013359; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2011_08_04, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|
\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_07_08, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious 1px iframe related to Mass Wordpress Injections"; flow:established,from_server; content:"/?go=1|22 20|width=|22|1|22 20|height=|22|1|22|>"; fast_pattern; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3; metadata:created_at 2011_05_27, updated_at 2011_05_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Exploit kit worms.jar"; flow:established,to_server; content:"pack200"; http_header; content:" Java/"; http_header; content:"/worms.jar"; http_uri; classtype:trojan-activity; sid:2013661; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_09, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt 2"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files (x86)|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013552; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_09, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013696; rev:3; metadata:created_at 2011_09_27, updated_at 2011_09_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo.class"; flow:established,to_server; content:"/lo.class"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013697; rev:3; metadata:created_at 2011_09_27, updated_at 2011_09_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit lo2.jar"; flow:established,to_server; content:"/lo2.jar"; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013698; rev:3; metadata:created_at 2011_09_27, updated_at 2011_09_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served to Client"; flow:established,to_client; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013978; rev:3; metadata:created_at 2011_12_02, updated_at 2011_12_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Lilupophilupop Injected Script Being Served from Local Server"; flow:established,from_server; content:"|3C|script src=|22|http|3A|//lilupophilupop.com/sl.php|22|>|3C 2F|script>"; nocase; classtype:bad-unknown; sid:2013979; rev:3; metadata:created_at 2011_12_02, updated_at 2011_12_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; content:" Java/1"; http_header; pcre:"/Host\x3a \d{8,10}(\x0d\x0a|\x3a\d{1,5}\x0d\x0a)/H"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:5; metadata:created_at 2011_08_30, updated_at 2011_08_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Probable Scalaxy exploit kit Java or PDF exploit request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; urilen:35; pcre:"/\/[a-z]\/[0-9a-f]{32}$/U"; classtype:bad-unknown; sid:2014025; rev:1; metadata:created_at 2011_12_12, updated_at 2011_12_12;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:bad-unknown; sid:2014027; rev:2; metadata:created_at 2011_12_12, updated_at 2011_12_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/com.class"; http_uri; classtype:trojan-activity; sid:2014031; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_19, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/org.class"; http_uri; classtype:trojan-activity; sid:2014032; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_19, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/edu.class"; http_uri; classtype:trojan-activity; sid:2014033; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_19, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/net.class"; http_uri; classtype:trojan-activity; sid:2014034; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_12_19, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS User-Agent used in Injection Attempts"; flow:established,to_server; content:"User-Agent|3a| MOT-MPx220/1.400 Mozilla/4.0"; http_header; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2011-December/016882.html; classtype:trojan-activity; sid:2014054; rev:2; metadata:created_at 2011_12_30, updated_at 2011_12_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012525; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; classtype:trojan-activity; sid:2012526; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012527; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; content:"%PDF-"; classtype:trojan-activity; sid:2012528; rev:3; metadata:created_at 2011_03_21, updated_at 2011_03_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Saturn Exploit Kit binary download request"; flow:established,to_server; content:"/dl/"; depth:4; http_uri; fast_pattern; content:".php?"; http_uri; pcre:"/\/dl\/\w{1,4}\.php\?[0-9]$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013775; rev:2; metadata:created_at 2011_10_13, updated_at 2011_10_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Saturn Exploit Kit probable Java MIDI exploit request"; flow:established,to_server; content:"/dl/jsm.php"; depth:14; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013777; rev:2; metadata:created_at 2011_10_13, updated_at 2011_10_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for PDF exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; content:"|25 32 36|np"; distance:32; within:5; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011348; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SEO Exploit Kit - client exploited"; flow:established,to_server; content:"/exe.php?exp="; http_uri; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011813; rev:6; metadata:created_at 2010_10_12, updated_at 2010_10_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit reporting Java and PDF state"; flow:established,to_server; content:"_js?java="; http_uri; fast_pattern; content:"&adobe_pdf="; http_uri; distance:0; pcre:"/\/[a-f0-9]{60,}_js\?/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013690; rev:3; metadata:created_at 2011_09_23, updated_at 2011_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious JAR"; flow:established,to_server; content:"_jar"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_jar$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013691; rev:3; metadata:created_at 2011_09_23, updated_at 2011_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Java requesting malicious EXE"; flow:established,to_server; content:"_exe"; http_uri; fast_pattern; content:"|20|Java/"; http_header; pcre:"/\/[a-f0-9]{60,}_exe$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013692; rev:3; metadata:created_at 2011_09_23, updated_at 2011_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit request for pdf_err__Error__Unspecified"; flow:established,to_server; content:"/pdf_err__Error__Unspecified error..gif"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013693; rev:7; metadata:created_at 2011_09_23, updated_at 2011_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Phoenix-style Exploit Kit Java Request with semicolon in URI"; flow:established,to_server; content:"/?"; http_uri; content:"|3b| 1|3b| "; http_uri; content:"|29| Java/1."; http_header; pcre:"/\/\?[a-z0-9]{65,}\x3b \d\x3b \d/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2011988; rev:5; metadata:created_at 2010_12_01, updated_at 2017_04_13;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:6; metadata:created_at 2012_01_04, updated_at 2012_01_04;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:3; metadata:created_at 2012_01_04, updated_at 2012_01_04;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SEO Exploit Kit request for Java exploit"; flow:established,to_server; content:"POST"; http_method; content:"id="; http_client_body; content:"|25 32 36|j"; distance:32; within:4; http_client_body; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2011349; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2010_09_28, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Response Malicious JavaScript"; flow:established,from_server; content:""; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,100}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:7; metadata:created_at 2012_12_03, updated_at 2012_12_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|000"; content:"height=|22|000"; classtype:bad-unknown; sid:2016190; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_01_11, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page Received"; flow:established,to_client; file_data; content:"
"; classtype:bad-unknown; sid:2016191; rev:6; metadata:created_at 2013_01_11, updated_at 2013_01_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - Please wait..."; flow:established,to_client; file_data; content:"Please wait..."; nocase; content:"
$HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2013-0422 Landing Page"; flow:established,from_server; file_data; content:"Loading, Please Wait..."; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_17, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Class Download"; flow:established,to_server; content:"/com/sun/org/glassfish/gmbal/util/GenericConstructor.class"; fast_pattern:13,20; content:" Java/1"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016240; rev:5; metadata:created_at 2013_01_18, updated_at 2013_01_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,from_server; file_data; content:"|22|pdfx.ht|5C|x6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016247; rev:6; metadata:created_at 2013_01_21, updated_at 2013_01_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page"; flow:established,to_server; content:"/i.html?0x"; http_uri; depth:10; urilen:>100; pcre:"/\/i\.html\?0x\d{1,2}=[a-zA-Z0-9+=]{100}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016248; rev:6; metadata:created_at 2013_01_21, updated_at 2013_01_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Red Dot Exploit Kit Single Character JAR Request"; flow:established,to_server; urilen:6; content:".jar"; http_uri; pcre:"/\x2F[a-z]\x2Ejar$/U"; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016254; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Red Dot Exploit Kit Binary Payload Request"; flow:established,to_server; content:"/load.php?guid="; http_uri; content:"&thread="; http_uri; content:"&exploit="; http_uri; content:"&version="; http_uri; content:"&rnd="; http_uri; reference:url,malware.dontneedcoffee.com/; classtype:trojan-activity; sid:2016255; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Gondad Exploit Kit Post Exploitation Request"; flow:established,to_server; content:"/cve2012xxxx/Gondvv.class"; http_uri; classtype:trojan-activity; sid:2016256; rev:2; metadata:created_at 2013_01_23, updated_at 2013_01_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS - in.php"; flow:established,to_server; content:"/in.php?s="; http_uri; classtype:trojan-activity; sid:2016272; rev:2; metadata:created_at 2013_01_24, updated_at 2013_01_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"Confuser.class"; classtype:bad-unknown; sid:2016277; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MetaSploit CVE-2012-1723 Class File (seen in live EKs)"; flow:established,from_server; flowbits:isset,ET.http.javaclient; content:"ConfusingClassLoader.class"; classtype:bad-unknown; sid:2016276; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2013_01_24, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|"; within:69; fast_pattern:49,20; classtype:trojan-activity; sid:2016298; rev:4; metadata:created_at 2013_01_28, updated_at 2013_01_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious iframe"; flow:established,from_server; file_data; content:").)*?[\r\n\s]+name[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])?(Twitter|Google\+)(?P=q)?[\r\n\s]+/R"; content:"scrolling=auto frameborder=no align=center height=2 width=2"; within:59; fast_pattern:39,20; classtype:trojan-activity; sid:2016297; rev:4; metadata:created_at 2013_01_28, updated_at 2013_01_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing URL structure"; flow:established,from_client; content:"/inf.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/inf\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016306; rev:2; metadata:created_at 2013_01_29, updated_at 2013_01_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"Adobe Flash must be updated to view this"; content:"/lib/adobe.php?id="; distance:0; fast_pattern; pcre:"/^[a-f0-9]{32}/R"; classtype:trojan-activity; sid:2016307; rev:6; metadata:created_at 2013_01_29, updated_at 2013_01_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Non-Standard HTML page in Joomla /com_content/ dir (Observed in Recent Pharma Spam)"; flow:established,to_server; content:"/components/com_content/"; http_uri; content:!"index.html"; nocase; within:10; http_uri; content:".html"; nocase; http_uri; distance:0; classtype:bad-unknown; sid:2016311; rev:6; metadata:created_at 2013_01_29, updated_at 2013_01_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible JDB Exploit Kit Class Request"; flow:established,to_server; content:"/jdb/"; http_uri; nocase; content:".class"; http_uri; nocase; pcre:"/\/jdb\/[^\/]+\.class$/Ui"; content:" Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016308; rev:6; metadata:created_at 2013_01_29, updated_at 2013_01_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS JDB Exploit Kit Fake Adobe Download"; flow:established,to_server; content:"/lib/adobe.php?id="; http_uri; nocase; fast_pattern:only; pcre:"/\/lib\/adobe\.php\?id=[a-f0-9]{32}$/Ui"; classtype:trojan-activity; sid:2016310; rev:5; metadata:created_at 2013_01_29, updated_at 2013_01_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:").)+?\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:3; metadata:created_at 2012_10_31, updated_at 2012_10_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; fast_pattern:only; nocase; pcre:"/\/i.php?token=[a-z0-9]+$/Ui"; classtype:trojan-activity; sid:2015998; rev:3; metadata:created_at 2012_12_07, updated_at 2012_12_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e="; http_uri; fast_pattern:only; content:"&token="; http_uri; classtype:trojan-activity; sid:2015962; rev:11; metadata:created_at 2012_11_28, updated_at 2012_11_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Jerk.cgi TDS"; flow:established,to_server; content:"/jerk.cgi?"; fast_pattern:only; http_uri; pcre:"/\x2Fjerk\x2Ecgi\x3F[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/02/the-infection-of-styx-exploit-kit.html; classtype:trojan-activity; sid:2016352; rev:2; metadata:created_at 2013_02_05, updated_at 2013_02_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Landing Applet With Getmyfile.exe Payload"; flow:established,to_client; file_data; content:"[\x22\x27])a(?P=q)[^\r\n]*\r\n[\r\n\s]+(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/Pi"; classtype:attempted-user; sid:2016354; rev:3; metadata:created_at 2013_02_05, updated_at 2013_02_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Styx Exploit Kit Secondary Landing"; flow:established,to_server; content:".js"; http_uri; content:"/i.html"; http_header; fast_pattern:only; pcre:"/^[a-z]+\.js$/U"; pcre:"/^Referer\x3a[^\r\n]+\/i.html(\?[^=]{1,10}=[^&\r\n]{100,})?\r?$/Hmi"; classtype:bad-unknown; sid:2016347; rev:6; metadata:created_at 2013_02_05, updated_at 2013_02_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page - Received"; flow:established,to_client; file_data; content:"js.pd.js"; content:"|7C|applet|7C|"; classtype:trojan-activity; sid:2016356; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack - URI - jpfoff.php"; flow:established,to_server; content:"/jpfoff.php?token="; http_uri; classtype:trojan-activity; sid:2016357; rev:2; metadata:created_at 2013_02_06, updated_at 2013_02_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM EK - Landing Page"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_MM - Payload Download"; flow:established,to_client; file_data; content:"PK"; within:2; content:"stealth.exe"; within:60; classtype:trojan-activity; sid:2016377; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Flash Zero Day LadyBoyle Infection Campaign"; flow:established,to_client; file_data; content:"FWS"; distance:0; content:"LadyBoyle"; distance:0; reference:md5,3de314089db35af9baaeefc598f09b23; reference:md5,2568615875525003688839cb8950aeae; reference:url,blog.fireeye.com/research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html; reference:url,www.adobe.com/go/apsb13-04; reference:cve,2013-0633; reference:cve,2013-0633; classtype:trojan-activity; sid:2016391; rev:2; metadata:created_at 2013_02_08, updated_at 2013_02_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Impact Exploit Kit Landing Page"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"value"; distance:0; pcre:"/^(\s*=\s*|[\x22\x27]\s*,\s*)[\x22\x27]/R"; content:"h"; distance:8; within:1; content:"t"; distance:8; within:1; content:"t"; distance:8; within:1; content:"p"; distance:8; within:1; content:"|3a|"; distance:8; within:1; content:"/"; distance:8; within:1; classtype:trojan-activity; sid:2016393; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash CVE-2013-0634"; flow:established,to_client; flowbits:isset,HTTP.UncompressedFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016396; rev:5; metadata:created_at 2013_02_08, updated_at 2013_02_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Specific Uncompressed Flash Inside of OLE CVE-2013-0634"; flow:established,to_client; flowbits:isset,OLE.WithFlash; file_data; content:"RegExp"; distance:0; content:"#(?i)()()(?-i)|7c 7c|"; distance:0; classtype:trojan-activity; sid:2016397; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,HTTP.UncompressedFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0634; classtype:trojan-activity; sid:2016400; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Flash Action Script Invalid Regex CVE-2013-0634"; flow:established,to_client; file_data; flowbits:isset,OLE.WithFlash; content:"RegExp"; distance:0; content:"#"; distance:0; pcre:"/^[\x20-\x7f]*\(\?[sxXmUJ]*i[sxXmUJ]*(\-[sxXmUJ]*)?\)[\x20-\x7f]*\(\?[sxXmUJ]*\-[sxXmUJ]*i[sxXmUJ]*\)[\x20-\x7f]*\|\|/R"; reference:cve,2013-0364; classtype:trojan-activity; sid:2016401; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload - obfuscated binary base 0"; flow:established,to_client; file_data; content:"|af 9e b6 98 09 fc ee d0|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016403; rev:2; metadata:created_at 2013_02_12, updated_at 2013_02_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"SunJCE.class"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016407; rev:3; metadata:created_at 2013_02_12, updated_at 2013_02_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS TDS Vdele"; flow:established,to_server; content:"GET"; nocase; http_method; urilen:>37; content:"/vd/"; http_uri; nocase; fast_pattern:only; pcre:"/\/vd\/\d+\x3b[a-f0-9]{32}/Ui"; classtype:trojan-activity; sid:2016412; rev:2; metadata:created_at 2013_02_14, updated_at 2013_02_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarext32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:3; metadata:created_at 2013_02_14, updated_at 2013_02_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"lbarhlp32.blb"; http_client_body; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:3; metadata:created_at 2013_02_14, updated_at 2013_02_14;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK landing applet plus class Feb 18 2013"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS StyX Landing Page (2)"; flow:established,from_server; file_data; content:"|22|pdf|5c|78.ht|5c|6dl|22|"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016497; rev:7; metadata:created_at 2013_02_25, updated_at 2013_02_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Nicepack EK Landing (Anti-VM)"; flow:established,to_client; file_data; content:"if(document.body.onclick!=null)"; content:"if(document.styleSheets.length!=0)"; classtype:bad-unknown; sid:2016500; rev:8; metadata:created_at 2013_02_25, updated_at 2013_02_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible g01pack Landing Page"; flow:established,to_client; file_data; content:"[\x22\x27])((?!(?P=q)).)+?\.(gif|jpe?g|p(ng|sd))(?P=q)/Rsi"; classtype:trojan-activity; sid:2016333; rev:4; metadata:created_at 2013_01_31, updated_at 2013_01_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Exploit Request"; flow:established,to_server; content:"/module.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; classtype:bad-unknown; sid:2016523; rev:2; metadata:created_at 2013_03_04, updated_at 2013_03_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?pprec"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?pprec$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016542; rev:3; metadata:created_at 2013_03_05, updated_at 2013_03_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Portal TDS Kit GET (2)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?c002"; nocase; fast_pattern:only; http_uri; pcre:"/\.php\?c002$/Ui"; reference:url,ondailybasis.com/blog/?p=1867; classtype:trojan-activity; sid:2016543; rev:2; metadata:created_at 2013_03_05, updated_at 2013_03_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS JAR Download by Java UA with non JAR EXT matches various EKs"; flow:established,from_server; content:!".jar"; http_header; nocase; file_data; content:"PK"; within:2; content:".class"; distance:0; fast_pattern; flowbits:isset,ET.JavaNotJar; flowbits:unset,ET.JavaNotJar; classtype:bad-unknown; sid:2016540; rev:3; metadata:created_at 2013_03_05, updated_at 2013_03_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CrimeBoss Generic URL Structure"; flow:established,to_server; content:".php?action=jv&h="; http_uri; classtype:bad-unknown; sid:2016558; rev:4; metadata:created_at 2013_03_08, updated_at 2013_03_08;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to a *.opengw.net Open VPN Relay Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opengw|03|net|00|"; nocase; fast_pattern:only; reference:url,www.vpngate.net; classtype:bad-unknown; sid:2016586; rev:5; metadata:created_at 2013_03_15, updated_at 2013_03_15;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit Landing Page URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"u33&299"; within:200; content:"u3v7"; within:50; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016587; rev:6; metadata:created_at 2013_03_15, updated_at 2013_03_15;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain peocity.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|peocity|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016600; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain rusview.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|rusview|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016601; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain skyruss.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|skyruss|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016602; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain commanal.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|commanal|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016603; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain natareport.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|natareport|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016604; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogellrey.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photogellrey|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016605; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photogalaxyzone.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|photogalaxyzone|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016606; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insdet.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|insdet|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016607; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain creditrept.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|creditrept|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016608; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pollingvoter.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|pollingvoter|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016609; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dfasonline.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dfasonline|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016610; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hudsoninst.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|hudsoninst|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016611; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain wsurveymaster.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|wsurveymaster|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016612; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nhrasurvey.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|nhrasurvey|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016613; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain pdi2012.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|pdi2012|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016614; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain nceba.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|nceba|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016615; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain linkedin-blog.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|linkedin-blog|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016616; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain aafbonus.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|aafbonus|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016617; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain milstars.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|milstars|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016618; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain vatdex.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|vatdex|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016619; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain insightpublicaffairs.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|14|insightpublicaffairs|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016620; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain applesea.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|applesea|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016621; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledmg.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledmg|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016622; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appleintouch.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|appleintouch|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016623; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain seyuieyahooapis.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|seyuieyahooapis|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016624; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain appledns.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|appledns|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016625; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain emailserverctr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|emailserverctr|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016626; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain dailynewsjustin.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|dailynewsjustin|03|com|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016627; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain hi-tecsolutions.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|hi-tecsolutions|03|org|00|"; nocase; fast_pattern; distance:0; classtype:trojan-activity; sid:2016628; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain slashdoc.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|slashdoc|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016629; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain photosmagnum.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|photosmagnum|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016630; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain resume4jobs.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|resume4jobs|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016631; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain searching-job.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|searching-job|03|net|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016632; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain servagency.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|servagency|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016633; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain gsasmartpay.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|gsasmartpay|03|org|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016634; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Sykipot Domain tech-att.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|tech-att|03|com|00|"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016635; rev:1; metadata:created_at 2013_03_20, updated_at 2013_03_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:").)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:2016643; rev:5; metadata:created_at 2013_03_21, updated_at 2013_03_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Postal Reciept EXE in Zip"; flow:from_server,established; file_data; content:"PK"; within:2; content:"Postal-Receipt.exe"; nocase; fast_pattern:only; classtype:trojan-activity; sid:2016654; rev:2; metadata:created_at 2013_03_22, updated_at 2013_03_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO - possible second stage landing page"; flow:established,to_server; urilen:>40; content:".js"; offset:38; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([tZFBeDauxR]+q){3}[tZFBeDauxR]+(_[tZFBeDauxR]+)?|O7dd)k(([tZFBeDauxR]+q){3}[tZFBeDauxR]+|O7dd)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016073; rev:7; metadata:created_at 2012_12_21, updated_at 2012_12_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (1)"; flow:established,to_client; file_data; content:"|81 f2 90 00 cf a8 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016663; rev:2; metadata:created_at 2013_03_25, updated_at 2013_03_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page obfuscated applet tag Mar 28 2013"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:trojan-activity; sid:2013175; rev:4; metadata:created_at 2011_07_04, updated_at 2011_07_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"visited=TRUE|3b| mutex="; http_cookie; depth:20; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/346989-vbulletin-footer-sql-injection-hack; reference:url,blog.webroot.com/2013/03/29/a-peek-inside-the-egypack-web-malware-exploitation-kit/; classtype:bad-unknown; sid:2014408; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_03_21, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; content:"301"; http_stat_code; content:"Moved Permanently"; http_stat_msg; content:"/update/winword.pkg"; http_header; pcre:"/Location\x3A[^\r\n]*\x2Fupdate\x2Fwinword\x2Epkg/H"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:trojan-activity; sid:2016713; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;) alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Targeted Tibetan Android Malware C2 Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|android|06|uyghur|04|dnsd|02|me|00|"; nocase; fast_pattern; distance:0; reference:url,citizenlab.org/2013/04/permission-to-spy-an-analysis-of-android-malware-targeting-tibetans/; classtype:trojan-activity; sid:2016711; rev:2; metadata:created_at 2013_04_03, updated_at 2013_04_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet and 32HexChar.jar"; flow:established,to_client; file_data; content:" $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe outbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016718; rev:4; metadata:created_at 2013_04_03, updated_at 2013_04_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK q.php iframe inbound"; flow:established,to_client; file_data; content:"/q.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/q\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016716; rev:5; metadata:created_at 2013_04_03, updated_at 2013_04_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe inbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016717; rev:4; metadata:created_at 2013_04_03, updated_at 2013_04_03;) alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BHEK ff.php iframe outbound"; flow:established,to_client; file_data; content:"/ff.php"; fast_pattern:only; content:"[\x22\x27])http\x3a\/\/[^\x5c]+?\/(?:[a-f0-9]{16}|[a-f0-9]{32})\/ff\.php(?P=q1)/Rs"; reference:url,blog.sucuri.net/2013/02/web-server-compromise-debian-distro-identify-and-remove-corrupt-apache-modules.html; classtype:trojan-activity; sid:2016719; rev:4; metadata:created_at 2013_04_03, updated_at 2013_04_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Potential Fiesta Flash Exploit"; flow:established,to_server; content:"/?"; http_uri; content:"|3b|"; distance:60; within:7; http_uri; pcre:"/\/\?[0-9a-f]{60,66}\x3b(?:1(?:0[0-3]|1\d)|90)\d{1,3}\x3b\d{1,3}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016726; rev:6; metadata:created_at 2013_04_04, updated_at 2013_04_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RedDotv2 Jar March 18 2013"; flow:established,to_server; content:"/sexy.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2016594; rev:7; metadata:created_at 2013_03_18, updated_at 2013_03_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit applet + obfuscated URL Apr 7 2013"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"8ss&299"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016734; rev:2; metadata:created_at 2013_04_08, updated_at 2013_04_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS GonDadEK Kit Jar"; flow:to_client,established; file_data; content:"ckwm"; pcre:"/^(ckwm)*?(Exp|cc)\.class/R"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016737; rev:11; metadata:created_at 2013_04_09, updated_at 2013_04_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS W32/Citadel Infection or Config URL Request"; flow:established,to_server; content:"/file.php|7C|file="; http_uri; reference:url,malwaremustdie.blogspot.co.uk/2013/04/wireshark-analysis-of-citadel-trojan.html; reference:url,seifreed.es/docs/Citadel%20Trojan%20Report_eng.pdf; classtype:trojan-activity; sid:2016738; rev:2; metadata:created_at 2013_04_09, updated_at 2013_04_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS winlogon.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/winlogon.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/winlogon\.exe$/Ui"; reference:md5,fd95cc0bb7d3ea5a0c86d45570df5228; reference:md5,09330c596a33689a610a1b183a651118; classtype:bad-unknown; sid:2016697; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS smss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/smss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/smss\.exe$/Ui"; reference:md5,450dbe96d7f4108474071aca5826fc43; classtype:bad-unknown; sid:2016701; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS csrss.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/csrss.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/csrss\.exe$/Ui"; reference:md5,21a069667a6dba38f06765e414e48824; classtype:bad-unknown; sid:2016702; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS rundll32.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/rundll32.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/rundll32\.exe$/Ui"; reference:md5,ea3dec87f79ff97512c637a5c8868a7e; classtype:bad-unknown; sid:2016703; rev:12; metadata:created_at 2013_04_01, updated_at 2013_04_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS lsass.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/lsass.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/lsass\.exe$/Ui"; reference:md5,d929747212309559cb702dd062fb3e5d; classtype:bad-unknown; sid:2016699; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS explorer.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/explorer.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/explorer\.exe$/Ui"; reference:md5,de1bc32ad135b14ad3a5cf72566a63ff; classtype:bad-unknown; sid:2016700; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client"; flow:established,from_server; content:""; within:100; classtype:attempted-user; sid:2012624; rev:5; metadata:created_at 2011_04_02, updated_at 2011_04_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_gmf EK - pdfx.html"; flow:established,to_server; content:"/pdfx.html"; http_uri; classtype:trojan-activity; sid:2016055; rev:3; metadata:created_at 2012_12_17, updated_at 2012_12_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SUSPICIOUS svchost.exe in URI Probable Process Dump/Trojan Download"; flow:established,to_server; content:"GET"; http_method; content:"/svchost.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/svchost\.exe$/Ui"; classtype:bad-unknown; sid:2016696; rev:13; metadata:created_at 2013_04_01, updated_at 2013_04_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO obfuscator string 19 Dec 12 - possible landing"; flow:from_server,established; file_data; content:"cRxmlqC14I8yhr92sovp"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2016070; rev:5; metadata:created_at 2012_12_20, updated_at 2012_12_20;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Apr 21 2013"; flow:established,from_server; file_data; content:"OD&|3a|x9T6"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016781; rev:2; metadata:created_at 2013_04_22, updated_at 2013_04_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Fake DHL Kuluoz.B URI"; flow:established,to_server; content:".php?get"; http_uri; fast_pattern:only; pcre:"/\.php\?get[^=]*=\d_\d{5,}$/U"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2016779; rev:4; metadata:created_at 2013_04_22, updated_at 2013_04_22;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta - Payload - flashplayer11"; flow:established,to_client; content:"flashplayer11_"; http_header; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2016784; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Redkit encrypted binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|fb 67 1f 49|"; within:4; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016113; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mfunc"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mfunc"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mfunc/Pi"; classtype:attempted-user; sid:2016788; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection mclude"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"mclude"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?mclude/Pi"; classtype:attempted-user; sid:2016789; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS Possible Wordpress Super Cache Plugin PHP Injection dynamic-cached-content"; flow:established,to_server; content:"POST"; http_method; content:"comment"; http_client_body; nocase; content:"dynamic-cached-content"; fast_pattern; http_client_body; nocase; distance:0; pcre:"/(?:%3C%21|\<\!)--[\r\n\s]*?dynamic-cached-content/Pi"; classtype:attempted-user; sid:2016790; rev:2; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, deployment Datacenter, tag Wordpress, signature_severity Major, created_at 2013_04_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:5; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_08_28, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated Click To Run Bypass"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange applet with obfuscated URL March 03 2013"; flow:established,from_server; file_data; content:"applet"; content:"103sdj115sdj115sdj111sdj57sdj46sdj46sdj"; fast_pattern; within:250; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016585; rev:7; metadata:created_at 2013_03_15, updated_at 2013_03_15;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:5; metadata:created_at 2012_10_26, updated_at 2012_10_26;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java payload request (1)"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"openparadise1"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016111; rev:4; metadata:created_at 2012_12_28, updated_at 2012_12_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sweet Orange Java obfuscated binary (3)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|20 3b|"; within:2; content:"|3d 24 00 00|"; within:512; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016655; rev:5; metadata:created_at 2013_03_22, updated_at 2013_03_22;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS pamdql/Sweet Orange delivering exploit kit payload"; flow:established,to_server; content:"/command/"; http_uri; urilen:15; pcre:"/^\/command\/[a-zA-Z]{6}$/U"; classtype:trojan-activity; sid:2016093; rev:4; metadata:created_at 2012_12_27, updated_at 2012_12_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Metasploit Java Payload"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"Payload.class"; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:4; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_08_28, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_user_agent; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2012_07_02, malware_family Nuclear, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK UAC Disable in Uncompressed JAR"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"UACDisableNotify"; fast_pattern:only; classtype:trojan-activity; sid:2016805; rev:3; metadata:created_at 2013_04_30, updated_at 2013_04_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; content:"text="; http_client_body; depth:5; pcre:"/\?(s|page|id)=\d+$/U"; classtype:trojan-activity; sid:2015974; rev:14; metadata:created_at 2012_11_30, updated_at 2012_11_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Exodus Intel IE HTML+TIME EIP Control Technique"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Injection - var j=0"; flow:established,to_client; file_data; content:"00|3a|00|3a|00|3b| path=/|22 3b|var j=0|3b| while(j"; classtype:trojan-activity; sid:2016830; rev:2; metadata:created_at 2013_05_07, updated_at 2013_05_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CVE-2013-2423 IVKM PoC Seen in Unknown EK"; flow:to_client,established; content:"Union1.class"; content:"Union2.class"; fast_pattern; content:"SystemClass.class"; content:"PoC.class"; flowbits:isset,ET.http.javaclient; reference:url,weblog.ikvm.net/CommentView.aspx?guid=acd2dd6d-1028-4996-95df-efa42ac237f0; classtype:trojan-activity; sid:2016831; rev:3; metadata:created_at 2013_05_07, updated_at 2013_05_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript May 10 2013"; flow:established,from_server; file_data; content:"qV7/|3b|pF"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016852; rev:3; metadata:created_at 2013_05_15, updated_at 2013_05_15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS FlimKit Post Exploit Payload Download"; flow:to_server,established; content:"POST"; http_method; urilen:17; pcre:"/^\/[a-f0-9]{16}$/U"; content:!"Referer|3a 20|"; http_header; content:!"User-Agent|3a 20|"; http_header; content:"HTTP/1.0|0d 0a|"; content:"Content-Length|3a 20|0|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\r\nContent-Length\x3a\s0\r\nConnection\x3a\sclose\r\n(\r\n)?$/H"; classtype:trojan-activity; sid:2016869; rev:3; metadata:created_at 2013_05_20, updated_at 2013_05_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown EK Requesting Payload"; flow:established,to_server; content:".php?ex="; http_uri; content:"&b="; http_uri; content:"&k="; http_uri; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016896; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Malicious Redirect URL"; flow:established,to_server; content:"/8gcf744Waxolp752.php"; http_uri; classtype:trojan-activity; sid:2016919; rev:8; metadata:created_at 2013_05_23, updated_at 2013_05_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"Gond"; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:11; metadata:created_at 2012_08_03, updated_at 2012_08_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 2 May 24 2013"; flow:to_client,established; file_data; content:"20130422.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016924; rev:11; metadata:created_at 2013_05_24, updated_at 2013_05_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 1 May 24 2013"; flow:to_client,established; file_data; content:"AppletObject.code"; nocase; content:"Gond"; nocase; distance:0; pcre:"/^(?:a(?:ttack|dEx[xp])|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016925; rev:2; metadata:created_at 2013_05_24, updated_at 2013_05_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 1 May 24 2013"; flow:to_client,established; file_data; content:"function weCameFromHell("; nocase; fast_pattern:4,20; content:"spawAnyone("; nocase; distance:0; classtype:trojan-activity; sid:2016927; rev:11; metadata:created_at 2013_05_24, updated_at 2013_05_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HellSpawn EK Landing 2 May 24 2013"; flow:to_client,established; file_data; content:"FlashPlayer.cpl"; nocase; fast_pattern:only; content:"window.location"; nocase; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?(?P[_a-zA-Z][a-zA-Z0-9_-]+)\([\r\n\s]*?[\x22\x27](?!http\x3a\/\/)(?P[^\x22\x27])(?P(?!(?P=h))[^\x22\x27])(?P=t)[^\x22\x27]{2}(?P(?!((?P=h)|(?P=t)))[^\x22\x27])(?P=slash)[^\x22\x27]*?[\x22\x27][\r\n\s]*?,[\r\n\s]*?[\x22\x27][^\x22\x27]+[\x22\x27][\r\n\s]*?\)\+(?P=func)/Rsi"; classtype:trojan-activity; sid:2016928; rev:2; metadata:created_at 2013_05_24, updated_at 2013_05_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible HellSpawn EK Fake Flash May 24 2013"; flow:to_server,established; content:"/FlashPlayer.cpl"; http_uri; nocase; fast_pattern:only; pcre:"/\/FlashPlayer\.cpl$/U"; classtype:trojan-activity; sid:2016929; rev:11; metadata:created_at 2013_05_24, updated_at 2013_05_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Landing Page 2 May 24 2013"; flow:to_client,established; file_data; content:"1337.exe"; nocase; fast_pattern:only; content:").)+?[\x22\x27]1337\.exe/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016926; rev:2; metadata:created_at 2013_05_24, updated_at 2013_05_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received"; flow:established,to_client; file_data; content:"value"; pcre:"/^[\r\n\s\+]*?=[\r\n\s\+]*?[\x22\x27]((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){10}|(?P=ascii){10})/R"; content:"var PluginDetect"; distance:0; classtype:trojan-activity; sid:2016791; rev:6; metadata:created_at 2013_04_26, updated_at 2013_04_26;) alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Java Exploit Recievied"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"javax/crypto/spec/SecretKeySpec"; distance:0; classtype:trojan-activity; sid:2016785; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;) alert http $EXTERNAL_NET 81:90 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Payload Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; content:".txt|0d 0a|"; http_header; fast_pattern:only; pcre:"/filename=[a-z]{4}\.txt\x0D\x0A/H"; classtype:trojan-activity; sid:2016787; rev:3; metadata:created_at 2013_04_26, updated_at 2013_04_26;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura - Landing Page - Received May 29 2013"; flow:established,to_client; file_data; content:"
]*?>((?P%[A-Fa-f0-9]{2})|(?P[a-zA-Z0-9]))((?P=hex){9,20}|(?P=ascii){9,20})%3C/R"; content:"{version:|22|0.8.0|22|"; distance:0; nocase; classtype:trojan-activity; sid:2016942; rev:6; metadata:created_at 2013_05_29, updated_at 2013_05_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Topic EK Requesting PDF"; flow:established,to_server; content:".php?exp=lib"; http_uri; content:"&b="; http_uri; content:"&k="; pcre:"/&b=[a-f0-9]{7}&k=[a-f0-9]{32}/U"; classtype:trojan-activity; sid:2016108; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Exploit Pack Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| "; nocase; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/U"; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:4; metadata:created_at 2010_10_01, updated_at 2010_10_01;) alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; file_data; content:"value=|22|lxxt>33"; fast_pattern:only; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:4; metadata:created_at 2012_06_04, updated_at 2012_06_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack Reporting Plugin Detect Data June 03 2013"; flow:established,to_server; content:"/gate.php?ver="; http_uri; nocase; fast_pattern:only; pcre:"/&p=\d+\.\d+\.\d+\.\d+&j=\d+\.\d+\.\d+\.\d+&f=\d+\.\d+\.\d+\.\d+$/U"; classtype:trojan-activity; sid:2016964; rev:2; metadata:created_at 2013_06_03, updated_at 2013_06_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritXPack Jar Request (3)"; flow:established,to_server; content:"/j17.php?i="; http_uri; content:"|29 20|Java/1"; http_user_agent; fast_pattern:only; classtype:trojan-activity; sid:2016365; rev:5; metadata:created_at 2013_02_06, updated_at 2013_02_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura obfuscated javascript Jun 1 2013"; flow:established,from_server; file_data; content:"a5chZev!"; distance:0; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016966; rev:7; metadata:created_at 2013_06_03, updated_at 2013_06_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload Download (9)"; flow:established,to_server; content:".txt?f="; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?f=\d+$/U"; classtype:trojan-activity; sid:2016976; rev:9; metadata:created_at 2013_06_05, updated_at 2013_06_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}$/C"; content:"/x-java-archive|0d 0a|"; fast_pattern:only; http_header; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015724; rev:10; metadata:created_at 2012_09_21, updated_at 2012_09_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; file_data; content:"d---o---c---u---m---"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015738; rev:3; metadata:created_at 2012_09_25, updated_at 2012_09_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Spam Campaign Shipment_Label.exe in Zip"; flow:from_server,established; content:"Shipment_Label.zip"; nocase; fast_pattern:only; http_header; file_data; content:"PK"; within:2; content:".exe"; distance:0; classtype:trojan-activity; sid:2017003; rev:2; metadata:created_at 2013_06_12, updated_at 2013_06_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FlimKit Landing"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; fast_pattern:only; content:"
"; content:"[\x22\x27])[a-f0-9]{9,16}\.(jar|zip)(?P=q)/R"; classtype:trojan-activity; sid:2016840; rev:5; metadata:created_at 2013_05_09, updated_at 2013_05_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm (jvm.dll) Requested Over WeBDAV"; flow:established,to_server; content:"/jvm.dll"; http_uri; fast_pattern:only; pcre:"/\/jvm\.dll$/U"; reference:cve,2012-1533; classtype:trojan-activity; sid:2017012; rev:4; metadata:created_at 2013_06_13, updated_at 2013_06_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing (Payload Downloaded Via Dropbox)"; flow:established,from_server; file_data; content:"jnlp_embedded"; nocase; content:"6u27.jar"; content:"6u41.jar"; fast_pattern:only; classtype:trojan-activity; sid:2017014; rev:2; metadata:created_at 2013_06_13, updated_at 2013_06_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Kuluoz.B Shipping Label Spam Campaign"; flow:established,to_server; content:".php?"; http_uri; content:"_info="; distance:1; within:6; http_uri; pcre:"/\.php\?[a-z]_info=[a-z0-9]{1,4}_\d+?$/Ui"; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:2017002; rev:6; metadata:created_at 2013_06_12, updated_at 2013_06_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK .cache request"; flow:established,to_server; content:"Java/1"; http_user_agent; content:"/.cache/?f|3d|"; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2017019; rev:2; metadata:created_at 2013_06_14, updated_at 2013_06_14;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Karagany encrypted binary (3)"; flow:established,to_client; file_data; content:"|f2 fd 90 00 bc a7 00 00|"; within:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016970; rev:4; metadata:created_at 2013_06_04, updated_at 2013_06_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Unknown_InIFRAME - RedTDS URI Structure"; flow:established,to_server; content:"/red"; depth:7; http_uri; content:".php"; distance:2; within:6; http_uri; pcre:"/^\/[0-9]{1,2}\/red[0-9]{1,4}\.php[0-9]{0,1}$/Ui"; classtype:trojan-activity; sid:2017028; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - URI Structure"; flow:established,to_server; content:"/iniframe/"; depth:10; http_uri; content:"/"; distance:32; within:1; http_uri; content:"/"; distance:1; within:5; http_uri; content:"/"; distance:32; within:1; http_uri; classtype:trojan-activity; sid:2017029; rev:5; metadata:created_at 2013_06_18, updated_at 2013_06_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_InIFRAME - Redirect to /iniframe/ URI"; flow:established,to_client; content:"302"; http_stat_code; content:"/iniframe/"; http_header; classtype:trojan-activity; sid:2017030; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Flash - URI - /loading?vkn="; flow:established,to_server; content:"/loading?vkn="; http_uri; classtype:trojan-activity; sid:2017032; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS NailedPack EK Landing June 18 2013"; flow:established,to_client; file_data; content:"report_and_get_exploits(_0x"; reference:url,www.basemont.com/june_2013_exploit_kit_2; classtype:trojan-activity; sid:2017034; rev:2; metadata:created_at 2013_06_18, updated_at 2013_06_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?//"; http_header; fast_pattern:only; pcre:"/^Referer\x3a\x20[^\r\n]+\/((index|toc)\.html?)?\?\/\//Hmi"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:2; metadata:created_at 2013_06_20, updated_at 2013_06_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Rawin Exploit Kit Landing URI Struct"; flow:established,to_server; content:".php?"; http_uri; content:"v=1."; http_uri; fast_pattern; content:"."; http_uri; distance:1; within:1; pcre:"/\.php\?(b=[a-fA-F0-9]{6}&)?v=1\.(?:(?:4\.[0-2]\.[0-3]|5\.0\.[0-2]|6.0\.[0-4])\d?|[7-8]\.0\.\d{1,2})$/U"; classtype:trojan-activity; sid:2017040; rev:2; metadata:created_at 2013_06_21, updated_at 2013_06_21;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Download and Execute Scheduled file command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Download and Execute Scheduled [File|3a|"; classtype:trojan-activity; sid:2017057; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC2"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:" |3a|[AryaN]|3a| "; within:30; content: "download"; nocase; classtype:trojan-activity; sid:2017056; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64"; flow:established,to_client; file_data; content:"X19hcHBsZXRfc3N2X3ZhbGlkYXRl"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016796; rev:5; metadata:created_at 2013_04_28, updated_at 2013_04_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 2"; flow:established,to_client; file_data; content:"9fYXBwbGV0X3Nzdl92YWxpZGF0"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016817; rev:4; metadata:created_at 2013_05_03, updated_at 2013_05_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Java Applet JNLP applet_ssv_validated in Base64 3"; flow:established,to_client; file_data; content:"fX2FwcGxldF9zc3ZfdmFsaWRhdGVk"; flowbits:set,et.exploitkitlanding; reference:url,immunityproducts.blogspot.fr/2013/04/yet-another-java-security-warning-bypass.html; classtype:trojan-activity; sid:2016818; rev:4; metadata:created_at 2013_05_03, updated_at 2013_05_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Dotka Chef EK exploit/payload URI request"; flow:to_server,established; content:"?f="; http_uri; content:"&k="; http_uri; pcre:"/&k=\d{16}(&|$)/U"; content:"Java/1"; http_user_agent; classtype:trojan-activity; sid:2017020; rev:10; metadata:created_at 2013_06_14, updated_at 2013_06_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK Payload Download (5)"; flow:established,to_server; content:".txt?e="; http_uri; nocase; fast_pattern:only; content:!"Referer|3a| "; http_header; pcre:"/\.txt\?e=\d+(&[fh]=\d+)?$/U"; classtype:trojan-activity; sid:2016414; rev:8; metadata:created_at 2013_02_16, updated_at 2013_02_16;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot CnC1"; flow:established,to_server; dsize:<256; content:"PRIVMSG "; depth:8; content:"|20 3a 03|10OK|3a 03 20|"; within:30; classtype:trojan-activity; sid:2017055; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Flood command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Flood|3a| Started [Type|3a|"; classtype:trojan-activity; sid:2017058; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS AryaN IRC bot Botkill command"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"Botkill|3a| Cycled once"; classtype:trojan-activity; sid:2017059; rev:1; metadata:created_at 2013_06_24, updated_at 2013_06_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Redirector To Landing Page"; flow:established,to_server; content:"/?wps="; http_uri; fast_pattern:only; pcre:"/^\x2F\x3Fwps\x3D[0-9]$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017068; rev:2; metadata:created_at 2013_06_26, updated_at 2013_06_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Neutrino Exploit Kit Clicker.php TDS"; flow:established,to_server; content:"/clicker.php"; http_uri; fast_pattern:only; pcre:"/^\x2Fclicker\x2Ephp$/U"; reference:url,malwaremustdie.blogspot.co.uk/2013/06/knockin-on-neutrino-exploit-kits-door.html; classtype:trojan-activity; sid:2017069; rev:2; metadata:created_at 2013_06_26, updated_at 2013_06_26;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Applet tag in jjencode as (as seen in Dotka Chef EK)"; flow:established,from_server; file_data; content:",$$$$|3a|(![]+|22 22|)"; fast_pattern:only; content:"<|22|+"; pcre:"/^(?P.{1,10})\.\$\_\$\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\x22\x5c\x5c\x22\+(?P=var)\.\_\_\$\+(?P=var)\.\$\$\_\+(?P=var)\.\_\_\_\+\(\!\[\]\+\x22\x22\)\[(?P=var)\.\_\$\_\]\+(?P=var)\.\$\$\$\_\+(?P=var)\.\_\_\+/R"; classtype:trojan-activity; sid:2017070; rev:2; metadata:created_at 2013_06_27, updated_at 2013_06_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cool Exploit Kit iframe with obfuscated Java version check Jun 26 2013"; flow:established,from_server; file_data; content:""; within:500; content:!"|0d|"; within:500; pcre:"/^\s*[^>]*?[a-zA-Z]+\s*?=\s*?[\x22\x27](?=[a-z]{0,20}[A-Z])(?=[A-Z]{0,20}[a-z])[A-Za-z]{15,21}[\x22\x27][^>]*?>(?=[A-Za-z_]{0,200}[0-9])(?=[0-9a-z_]{0,200}[A-Z])(?=[0-9A-Z_]{0,200}[a-z])[A-Za-z0-9_]{200}/R"; classtype:trojan-activity; sid:2020975; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Exploit_Kit, tag Nuclear, signature_severity Critical, created_at 2015_04_22, malware_family Nuclear, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing URI Struct April 29 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:"/5/"; http_uri; fast_pattern; content:"http|3a|/"; distance:0; http_uri; pcre:"/\/5\/[a-f0-9]{32}\/\x20*http\x3a\x2f/U"; classtype:trojan-activity; sid:2021034; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Landing April 29 2015"; flow:established,from_server; file_data; content:"lortnoCgA.lortnoCgA"; content:"reverse"; classtype:trojan-activity; sid:2021039; rev:2; metadata:created_at 2015_04_29, updated_at 2015_04_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"CWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021044; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SilverLight Exploit April 30 2015"; flow:established,from_server; file_data; content:"AppManifest.xaml"; fast_pattern:only; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021045; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK SWF Exploit April 30 2015"; flow:established,from_server; content:"Content-Type|3a| application/x-shockwave-flash|0d 0a|"; http_header; fast_pattern:25,20; file_data; content:"ZWS"; within:3; flowbits:isset,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021043; rev:2; metadata:created_at 2015_04_30, updated_at 2015_04_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CottonCastle/Niteris EK Exploit Struct April 30 2015"; flow:established,to_server; content:"GET"; http_method; pcre:"/\/\d\/[A-Z]+\/[a-f0-9]{32}\/[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\.[a-z]*?\d+\/?$/U"; content:"/%20http%3A"; http_header; fast_pattern:only; flowbits:set,ET.CottonCasle.Exploit; classtype:trojan-activity; sid:2021042; rev:5; metadata:created_at 2015_04_30, updated_at 2015_04_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Landing Page May 01 2015"; flow:from_server,established; file_data; content:"CM|3a 20|u.indexOf(|27|NT 5.1|27|) > -1"; content:"PS|3a 20|u.indexOf(|27|NT 6.|27|) > -1"; classtype:trojan-activity; sid:2021046; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M1"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=Y21kIC9jIGVjaG8g"; classtype:trojan-activity; sid:2021047; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown EK Secondary Landing Page May 01 2015 M2"; flow:from_server,established; file_data; content:"FlashVars"; content:"sh=cG93ZXJzaGVsbC5leGUg"; classtype:trojan-activity; sid:2021048; rev:2; metadata:created_at 2015_05_01, updated_at 2015_05_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK IE Exploit Apr 23 2015"; flow:established,from_server; file_data; content:"some"; fast_pattern:only; content:"<style>"; content:"|5c 3a|*{display|3a|inline-block|3b|behavior|3a|url(#default#VML)|3b|}</style>"; distance:3; within:65; classtype:trojan-activity; sid:2020980; rev:3; metadata:created_at 2015_04_23, updated_at 2015_04_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Landing Apr 23 2015"; flow:established,from_server; file_data; content:"=window|3b|"; fast_pattern:only; content:"String.fromCharCode"; content:"|28 2f|Win64|3b 2f|i,"; nocase; content:"function"; pcre:"/^\s*?[^\x28\s]*?\x28\s*?(?P<a1>[^\s,\x29]+)\s*?,\s*?(?P<a2>[^\s,\x29]+)\s*?\x29\{[^\r\n]*?[\+=]String.fromCharCode\((?P=a2)\)[^\r\n]*?\}/Rs"; classtype:trojan-activity; sid:2020979; rev:3; metadata:created_at 2015_04_23, updated_at 2015_04_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Java Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".jar"; http_header; fast_pattern:only; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.jar\r\n/Hm"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2020983; rev:3; metadata:created_at 2015_04_23, updated_at 2015_04_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK Flash Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".swf"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.swf\r\n/Hm"; file_data; content:"WS"; within:3; classtype:trojan-activity; sid:2020981; rev:3; metadata:created_at 2015_04_23, updated_at 2015_04_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fiesta EK SilverLight Exploit Apr 23 2015"; flow:established,from_server; content:"Content-Disposition|3a 20|inline|3b|"; http_header; content:".xap"; http_header; pcre:"/Content-Disposition\x3a\x20[^\r\n]+filename=[a-z]{5,8}\d{2,3}\.xap\r\n/Hm"; file_data; content:"AppManifest.xaml"; fast_pattern:only; classtype:trojan-activity; sid:2020982; rev:3; metadata:created_at 2015_04_23, updated_at 2015_04_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Magnitude EK Flash Payload ShellCode Apr 23 2015"; flow:established,from_server; file_data; content:"urlmon.dll|00|http|3a 2f|"; pcre:"/^\x2f+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\x2f\??[a-f0-9]+\x7chttp\x3a\x2f/Rs"; classtype:trojan-activity; sid:2021054; rev:2; metadata:created_at 2015_05_04, updated_at 2015_05_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Trojan Multi-part Macro Download M1"; flow:established,from_server; file_data; content:"PAB0AGUAeAB0ADEAMAA+ACQA"; within:24; classtype:trojan-activity; sid:2020911; rev:3; metadata:created_at 2015_04_14, updated_at 2015_04_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M1"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"JnB3ZD"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021081; rev:2; metadata:created_at 2015_05_08, updated_at 2015_05_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M2"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"Zwd2Q9"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021082; rev:2; metadata:created_at 2015_05_08, updated_at 2015_05_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible CryptoPHP Leaking Credentials May 8 2015 M3"; flow:established,to_server; content:"GET"; http_method; content:".js?callback="; http_uri; content:"&data=bG9nP"; distance:0; http_uri; fast_pattern; content:"mcHdkP"; distance:0; http_uri; content:"&_="; distance:0; http_uri; pcre:"/&_=\d+$/U"; reference:url,research.zscaler.com/2015/05/compromised-wordpress-sites-leaking.html; classtype:trojan-activity; sid:2021083; rev:2; metadata:created_at 2015_05_08, updated_at 2015_05_08;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CritX/SafePack/FlashPack URI Format June 17 2013 3"; flow:established,to_server; content:".php?hash="; http_uri; fast_pattern:only; pcre:"/\/(?:java(?:byte|db)|o(?:utput|ther)|r(?:hino|otat)|msie\d|load)\.php\?hash=/U"; reference:url,www.malwaresigs.com/2013/06/14/slight-change-in-flashpack-uri/; classtype:trojan-activity; sid:2017024; rev:4; metadata:created_at 2013_06_17, updated_at 2013_06_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download file with BITS via LNK file (Likely Malicious)"; flow:established,from_server; file_data; content:"|4c 00 00 00|"; within:4; content:"|00|b|00|i|00|t|00|s|00|a|00|d|00|m|00|i|00|n|00|"; nocase; content:"|00|t|00|r|00|a|00|n|00|s|00|f|00|e|00|r|00|"; nocase; classtype:trojan-activity; sid:2021092; rev:2; metadata:created_at 2015_05_13, updated_at 2015_05_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Dridex Remote Macro Download"; flow:established,from_server; file_data; content:"(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80)"; nocase; classtype:trojan-activity; sid:2021093; rev:2; metadata:created_at 2015_05_13, updated_at 2015_05_13;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing May 12 2015"; flow:established,from_server; file_data; content:"<input type=|22|hidden|22| id=|22|myip|22|>"; nocase; fast_pattern:11,20; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021090; rev:3; metadata:created_at 2015_05_12, updated_at 2015_05_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Secondary Landing May 12 2015 M2"; flow:established,from_server; file_data; content:"&|22|+DetectRTC.isWebSocketsSupported+|22|&|22|+"; nocase; content:"CryptoJSAesJson"; nocase; classtype:trojan-activity; sid:2021110; rev:2; metadata:created_at 2015_05_16, updated_at 2015_05_16;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sundown EK Landing May 21 2015 M1"; flow:from_server,established; file_data; content:"|3c 21 2d 2d 20 53 45 45 44 3a|"; nocase; fast_pattern:only; content:"classid"; nocase; pcre:"/^\s*?=\s*?[\x22\x27](?:c|&#(?:x[64]3|99|67)\x3b)(?:l|&#(?:x[64]c|108|76)\x3b)(?:s|&#(?:x[75]3|115|83)\x3b)(?:i|&#(?:x[64]9|105|73)\x3b)(?:d|&#(?:x[64]4|100|68)\x3b)(?:\x3a|&#(?:x3a|58)\x3b)(?![a-fA-F0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})[^\x22\x27]+(?:(?:\x5c|&#)(?:5[01234567]|10[012]|6[5678]|4[589]|9[789]|7[09])|(?:\x25|&#x)(?:4[123456]|6[123456]|3\d|2D))/Rsi"; classtype:trojan-activity; sid:2021136; rev:2; metadata:created_at 2015_05_21, updated_at 2015_05_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS DNSChanger EK Landing URI Struct May 22 2015"; flow:to_server,established; content:"/stat/load"; http_uri; fast_pattern:only; content:".php"; http_uri; pcre:"/^GET\s*?\/stat\/load(?=(?-i)[a-z0-9]*?[A-Z])(?=(?-i)[A-Z0-9]*?[a-z])(?P<hname>[a-z0-9]+)\.php\s.+?Host\x3a\x20(?P=hname)\./smi"; classtype:trojan-activity; sid:2021141; rev:2; metadata:created_at 2015_05_22, updated_at 2015_05_22;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_05_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Evil JS iframe Embedded In GIF"; flow:established,from_server; file_data; content:"GIF89a="; nocase; within:8; content:"|3b|url="; nocase; distance:0; content:"iframe"; nocase; distance:0; content:"|3b|tail="; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2021156; rev:2; metadata:created_at 2015_05_28, updated_at 2015_05_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 2 2015"; flow:established,from_server; file_data; content:"<title>WARNING|3a| INTERNET SECURITY ALERT"; nocase; fast_pattern; content:"function myFunction|28 29|"; nocase; distance:0; content:"Due to Suspicious Activity"; nocase; distance:0; classtype:trojan-activity; sid:2021177; rev:2; metadata:created_at 2015_06_03, updated_at 2015_06_03;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M1"; flow:established,to_client; file_data; content:"MICROSOFT WINDOWS SECURITY ALERT"; nocase; fast_pattern; content:"WARNING: VIRUS CHECK"; nocase; distance:0; classtype:trojan-activity; sid:2021181; rev:2; metadata:created_at 2015_06_04, updated_at 2015_06_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M2"; flow:established,to_client; file_data; content:"WARNING: VIRUS CHECK"; fast_pattern; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"There is a .net frame work file missing due to some harmfull virus"; nocase; distance:0; classtype:trojan-activity; sid:2021182; rev:2; metadata:created_at 2015_06_04, updated_at 2015_06_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 4 2015 M3"; flow:established,to_client; file_data; content:"Advised System Support!"; fast_pattern; nocase; content:"Your Computer May Not Be Protected"; nocase; distance:0; content:"Possible network damages if virus not removed immediately"; nocase; distance:0; classtype:trojan-activity; sid:2021183; rev:2; metadata:created_at 2015_06_04, updated_at 2015_06_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M1"; flow:established,to_client; file_data; content:"INTERNET BROWSER PROCESS WARNING ERROR"; nocase; fast_pattern:33,20; content:"WINDOWS HEALTH IS CRITICAL"; nocase; distance:0; classtype:trojan-activity; sid:2021206; rev:2; metadata:created_at 2015_06_08, updated_at 2015_06_08;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Fake AV Phone Scam Landing June 8 2015 M2"; flow:established,to_client; file_data; content:"Norton Firewall Warning"; fast_pattern:18,20; nocase; content:"function myFunction|28 29|"; nocase; distance:0; content:"Windows has blocked access to the Internet."; nocase; distance:0; classtype:trojan-activity; sid:2021207; rev:2; metadata:created_at 2015_06_08, updated_at 2015_06_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Page"; flow:to_server,established; content:"/main.html"; http_uri; fast_pattern:only; pcre:"/\/main\.html$/U"; content:"/index.html"; http_header; pcre:"/\b[a-z]{2}\d+\s*?=\s*?Yes/C"; classtype:trojan-activity; sid:2020392; rev:5; metadata:created_at 2015_02_10, updated_at 2015_02_10;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Evil JS used in Unknown EK Landing"; flow:established,from_server; file_data; content:"|74 3d 75 74 66 38 74 6f 31 36 28 78 78 74 65 61 5f 64 65 63 72 79 70 74 28 62 61 73 65 36 34 64 65 63 6f 64 65 28 74 29 2c|"; nocase; classtype:trojan-activity; sid:2021217; rev:2; metadata:created_at 2015_06_09, updated_at 2015_06_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS KaiXin Secondary Landing Jun 09 2015"; flow:established,to_server; content:"/main.html"; http_uri; nocase; fast_pattern:only; content:"/index.html"; http_header; nocase; content:"cck_lasttime"; http_cookie; nocase; classtype:trojan-activity; sid:2021219; rev:4; metadata:created_at 2015_06_09, updated_at 2015_06_09;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Evil Redirector Leading to EK June 11 2015"; flow:established,from_server; content:"javascript"; http_header; content:"nginx"; nocase; http_header; file_data; pcre:"/^\s*?/Rs"; content:"document.write|28 28 22||22 29 3b 7d|"; classtype:bad-unknown; sid:2011978; rev:5; metadata:created_at 2010_11_24, updated_at 2010_11_24;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5; metadata:created_at 2011_03_15, updated_at 2011_03_15;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY ACH - Redirection"; flow:from_server,established; file_data; content:"NACHA"; classtype:bad-unknown; sid:2013474; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_08_26, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4; metadata:created_at 2011_08_29, updated_at 2011_08_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4; metadata:created_at 2011_08_29, updated_at 2011_08_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Phoenix landing page JAVASMB"; flow:established,to_client; file_data; content:"JAVASMB()"; classtype:bad-unknown; sid:2013486; rev:4; metadata:created_at 2011_08_30, updated_at 2011_08_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, updated_at 2011_09_16;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"< $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2"; flow:established,from_server; file_data; content:"/Subtype /U3D"; content:"/Contents (a pwning u3d model) /3DI false > /3DA << /A /PO /DIS /I >> /Rect [0 0 640 480] /3DD 10 0 R /F 7 >>"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013997; rev:6; metadata:created_at 2011_12_08, updated_at 2011_12_08;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING Alureon Malicious IFRAME"; flow:established,to_client; file_data; content:"name=\"Twitter\" scrolling=\"auto\" frameborder=\"no\" align=\"center\" height = \"1px\" width = \"1px\">"; classtype:bad-unknown; sid:2014039; rev:5; metadata:created_at 2011_12_22, updated_at 2011_12_22;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Driveby Delivered Malicious PDF"; flow:established,from_server; file_data; content:"%PDF"; depth:4; content:"/Author (yvp devo)/Creator (bub lob)"; distance:0; classtype:trojan-activity; sid:2014142; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_01_23, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown Landing Page Received"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Rhino Scripting Engine Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"com.class"; content:"edu.class"; content:"net.class"; content:"org.class"; classtype:bad-unknown; sid:2014243; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_02_20, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Java Atomic Exploit Downloaded"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:",CAFEBABE00000030007A0A002500300A003100320700"; distance:0; classtype:bad-unknown; sid:2014295; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_02_29, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; http_header; content:".exe"; http_header; content:"load/"; http_header; fast_pattern; file_data; content:"MZ"; depth:2; classtype:attempted-user; sid:2014314; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_03_05, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito libtiff PDF Exploit Recieved"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; content:".pdf"; distance:0; file_data; content:"%PDF-"; depth:5; content:"< $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:bad-unknown; sid:2014526; rev:3; metadata:created_at 2012_04_06, updated_at 2012_04_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra - page redirecting to a SutraTDS"; flow:established,to_client; file_data; content:"?igc.ni/"; distance:0; classtype:bad-unknown; sid:2014549; rev:3; metadata:created_at 2012_04_12, updated_at 2012_04_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; classtype:trojan-activity; sid:2014560; rev:7; metadata:affected_product Any, attack_target Client_and_Server, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, tag Metasploit, signature_severity Critical, created_at 2012_04_13, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:6; metadata:created_at 2012_04_13, updated_at 2012_04_13;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Determining OS MAC and Serving Java Archive File"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS ET CURRENT_EVENTS Italian Spam Campaign ZIP with EXE Containing Many Underscores"; flow:from_server,established; file_data; content:"|50 4b 03 04|"; within:4; byte_test:2,>,50,22,relative; content:"|5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 5f 2e|exe"; distance:22; within:150; classtype:trojan-activity; sid:2014577; rev:5; metadata:created_at 2012_04_16, updated_at 2012_04_16;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Compromised Site Served To Local Client"; flow:established,from_server; file_data; content:""; distance:1; within:10; classtype:attempted-user; sid:2014607; rev:10; metadata:created_at 2012_04_17, updated_at 2012_04_17;) #alert http $HOME_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:""; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:9; metadata:created_at 2012_04_17, updated_at 2012_04_17;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; distance:0; classtype:trojan-activity; sid:2014665; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_05_02, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer! $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:4; metadata:created_at 2012_06_21, updated_at 2012_06_21;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3; metadata:created_at 2012_06_26, updated_at 2012_06_26;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:3; metadata:created_at 2012_06_29, updated_at 2012_06_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:5; metadata:created_at 2012_06_29, updated_at 2012_06_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:6; metadata:created_at 2012_06_29, updated_at 2012_06_29;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:3; metadata:created_at 2012_07_02, updated_at 2012_07_02;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:6; metadata:created_at 2012_07_12, updated_at 2012_07_12;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|>"; classtype:trojan-activity; sid:2015057; rev:4; metadata:created_at 2012_07_12, updated_at 2012_07_12;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; depth:3; content:" $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2012_08_10, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class 1 May 24 2013"; flow:to_client,established; file_data; content:"gonagExp.class"; fast_pattern:only; flowbits:isset,ET.http.javaclient; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2016923; rev:14; metadata:created_at 2013_05_24, updated_at 2013_05_24;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SweetOrange - Java Exploit Downloaded"; flow:established,from_server; file_data; content:".classPK"; content:".mp4PK"; fast_pattern; within:80; classtype:trojan-activity; sid:2017476; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_09_17, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible HanJuan Landing March 20 2015"; flow:established,from_server; content:"Server|3a 20|nginx"; http_header; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:!""; content:!""; content:""; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025912; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible Malvertising EK Redirect to EK M2"; flow:established,to_server; content:"GET"; http_method; content:".asp?id="; http_uri; isdataat:!5,relative; http_referer; content:".php?JBOSSESSION="; fast_pattern; http_accept_enc; content:"gzip, deflate"; depth:13; isdataat:!1,relative; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025913; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_26;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Underminer EK Flash Exploit"; flow:established,to_client; file_data; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; fast_pattern; content:"]*? name\s*=\s*[\x22\x27]flashvars)[^>]*? value\s*=\s*[\x22\x27]url=https?\x3a[^\x22\x27]*?\.wasm/Rsi"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2025914; rev:2; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, tag Underminer_EK, signature_severity Major, created_at 2018_07_26, updated_at 2018_07_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Underminer EK Landing"; flow:established,to_client; content:"200"; http_stat_code; content:"Content-Encoding|3a 20|gzip|0d 0a|"; http_header; content:"X-UA-Compatible|3a 20|IE=9|3b 20|IE=8|3b 20|IE=7|0d 0a|"; http_header; file_data; content:"style=|22|width|3a|1px|3b|height|3a|1px|22|"; nocase; content:"position|3a 20|absolute|3b 20|left|3a 20|-"; nocase; content:"px|3b 20|width|3a 20|1px|3b 20|height|3a 20|1px|3b 22|"; within:40; content:""; distance:0; content:""; distance:0; content:"<|2F|id>"; distance:1; within:9; content:"<|2F|dict>"; distance:0; classtype:trojan-activity; sid:2013325; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist http URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102439; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist rtsp URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102440; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2102589; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED RealPlayer playlist file URL overflow attempt"; flow:from_server,established; flowbits:isset,realplayer.playlist; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; reference:bugtraq,9579; reference:cve,2004-0258; classtype:attempted-user; sid:2102438; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"GPL DELETED xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2102041; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor W32/Phanta Checkin"; flow:established,to_server; content:"/do.php?userid="; http_uri; content:"&time="; http_uri; content:"&msg="; http_uri; content:"&ver="; http_uri; content:"&os="; http_uri; content:"&fy="; http_uri; content:"&pauid="; http_uri; content:"&checkId="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FPopureb.A; reference:url,www.threatexpert.com/report.aspx?md5=0012a0b60572dfa4f42a4325507841d8; classtype:trojan-activity; sid:2013343; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Generic Trojan Checkin"; flow:established,to_server; content:"unit_id="; http_uri; content:"&uv_id="; http_uri; content:"&uv_new="; http_uri; content:"&url="; http_uri; content:"&charset="; http_uri; content:"&hashval="; http_uri; content:"&app="; http_uri; content:"&lg="; http_uri; classtype:trojan-activity; sid:2013204; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - Rar Requested but not received"; flow:established,from_server; flowbits:isset,ET.rar_seen; flowbits:unset,ET.rar_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:!"|0d 0a 0d 0a 52 61 72 21 1A 07|"; depth:300; reference:url, www.win-rar.com/index.php?id=24&kb=1&kb_article_id=162; reference:url,doc.emergingthreats.net/2008783; classtype:trojan-activity; sid:2008783; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Set flow on rar file get"; flow:established,to_server; content:"GET"; http_method; content:".rar"; http_uri; content:".rar HTTP/1."; flowbits:set,ET.rar_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2008781; classtype:trojan-activity; sid:2008781; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/TrojanDropper.Agent Checkin"; flow:established,to_server; content:".gif?aid="; http_uri; content:"&lc="; http_uri; content:"&time="; http_uri; content:"&flag="; http_uri; content:"&domain="; http_uri; classtype:trojan-activity; sid:2013402; rev:3; metadata:created_at 2011_08_11, updated_at 2011_08_11;) #alert http any any -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; within: 12; reference:url,doc.emergingthreats.net/bin/view/Main/2001685; classtype:trojan-activity; sid:2001685; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; classtype:policy-violation; sid:2002309; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Mitglieder Proxy Trojan CnC"; dsize:2; byte_test:2, >, 1024, 0; threshold:type both, track by_src, count 1000, seconds 300; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Win32%2fMitglieder; classtype:trojan-activity; sid:2013418; rev:5; metadata:created_at 2011_08_17, updated_at 2011_08_17;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DELETED MS Terminal Server User A Login, possible Morto inbound"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash=a|0d 0a|"; nocase; reference:cve,CAN-2001-0540; classtype:protocol-command-decode; sid:2013497; rev:2; metadata:created_at 2011_08_30, updated_at 2011_08_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED PDF Name Representation Obfuscation of JBIG2Decode, Very Likely Memory Corruption Attempt"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/"; within:50; content:!"JBIG2Decode"; within:11; content:"#"; within:31; pcre:"/\x3C\x3C(\x0D\x0A|\x0A)[^>]*\x2F[^JBIG2Decode](J|#4A)(B|#42)(I|#49)(G|#47)(2|#32)(D|#44)(e|#65)(c|#63)(o|#6F)(d|#64)(e|#65)/smi"; reference:url,blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/; reference:url,blog.didierstevens.com/2009/03/01/quickpost-jbig2decode-signatures/; reference:bugtraq,33751; reference:cve,2009-0658; classtype:attempted-user; sid:2011534; rev:7; metadata:created_at 2010_09_27, updated_at 2010_09_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent FSD - Possible FakeAV Related"; flow:established,to_server; content:"User-Agent|3A 20|FSD|0D 0A|"; http_header; classtype:trojan-activity; sid:2013393; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_10, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Pitbull IRCbotnet Fetch"; flow:to_server,established; content:"Accept|3a20|*/*|0d0a|User-Agent|3a20|Mozilla/5.0|0d0a|"; http_header; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007626; classtype:trojan-activity; sid:2007626; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; http_header; classtype:trojan-activity; sid:2012316; rev:3; metadata:created_at 2011_02_17, updated_at 2011_02_17;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED PinBall Corp. Related suspicious activity"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| PinBallCorp-BSAI"; reference:url,doc.emergingthreats.net/2009908; classtype:trojan-activity; sid:2009908; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; http_header; classtype:bad-unknown; sid:2013248; rev:3; metadata:created_at 2011_07_11, updated_at 2011_07_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold:type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013334; rev:4; metadata:created_at 2011_07_29, updated_at 2011_07_29;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SSL MiTM Vulnerable or EOL iOS 4.x device"; flow:established,to_server; content:"Mozilla/5.0 (iP"; http_header; content:" OS 4_"; http_header; distance:0; pcre:"/OS 4_[0-3]_[1-4] like/H"; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; classtype:not-suspicious; sid:2013335; rev:5; metadata:created_at 2011_07_29, updated_at 2011_07_29;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Rbot User-Agent (tiehttp)"; flow:established,to_server; content:"User-Agent|3A 20|tiehttp"; http_header; classtype:trojan-activity; sid:2013449; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Driveby Download Secondary Request 4"; flow:established,to_server; content:"main.php?page="; http_uri; pcre:"/[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2013651; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2011_09_13, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/iU"; content: "&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009412; classtype:trojan-activity; sid:2009412; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"GPL DELETED HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:2100510; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:trojan-activity; sid:2013722; rev:2; metadata:created_at 2011_09_30, updated_at 2011_09_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED W32/iGrabber Info Stealer FTP Upload"; flow:established,to_server; content:"iGrabber Logs"; offset:4; depth:13; classtype:trojan-activity; sid:2013727; rev:1; metadata:created_at 2011_09_30, updated_at 2011_09_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED dildo"; flow:to_client,established; content:"dildo"; nocase; classtype:policy-violation; sid:2101781; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED nipple clamp"; flow:to_client,established; content:"nipple"; nocase; content:"clamp"; nocase; classtype:policy-violation; sid:2101782; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED raw sex"; flow:to_client,established; content:"raw sex"; nocase; classtype:policy-violation; sid:2101786; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED oral sex"; flow:to_client,established; content:"oral sex"; nocase; classtype:policy-violation; sid:2101783; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Parite CnC Checkin"; flow:established,to_server; content:"?MI="; http_uri; content:"&os="; http_uri; content:"&TE="; http_uri; content:"&TV="; http_uri; content:!"SeaPort/"; http_header; classtype:trojan-activity; sid:2013716; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2011_09_30, malware_family Parite, updated_at 2017_07_17;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED New Malware Information Post"; flow:to_server,established; content:"POST"; nocase; http_method; content:"|0d 0a|Pragma|3a| no-cache|0d 0a 0d 0a|"; http_header; content:"|C9 78 C7 02 69 06 7E 34 78 17|"; fast_pattern; reference:url,doc.emergingthreats.net/2009092; classtype:trojan-activity; sid:2009092; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Akamai Redswoosh CLIOnlineManager Connection Detected"; flow:established,to_server; content:"PUT "; depth:4; nocase; content:"|0d 0a|User-Agent|3a|"; content:"rswin_3725.dll"; within:30; nocase; reference:url,doc.emergingthreats.net/2011275; classtype:policy-violation; sid:2011275; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED OWASP Joomla Vulnerability Scanner Detected"; flow:established,to_server; content:"HEAD "; depth:5; content:"/joomla/"; content:"|0d 0a|User-Agent|3a| Mozilla/5.0 (Windows\; U\; Windows NT 5.2\; en-US\; rv|3a|1.9.0.3) Gecko/2008092417 Firefox/3.0.3"; pcre:"/(/joomla/admin|/joomla/administrator|/joomla/manage|/joomla/administration)/U"; threshold: type threshold, track by_dst, count 4, seconds 15; reference:url,www.owasp.org/index.php/Category%3aOWASP_Joomla_Vulnerability_Scanner_Project; reference:url,doc.emergingthreats.net/2009837; classtype:attempted-recon; sid:2009837; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banload iLLBrain Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_uri; content:"/iLL"; http_uri; content:".xxx"; http_uri; reference:url,doc.emergingthreats.net/2008328; classtype:trojan-activity; sid:2008328; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Worm.Win32.Koobface.C User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| Mozilla/5.01"; content:"Gecko/2005"; fast_pattern; within:50; content:"Firefox/3"; distance:5; reference:url,doc.emergingthreats.net/2008848; classtype:trojan-activity; sid:2008848; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot related infection - Unique HTTP get request"; flow:established,to_server; content:".dll|0d 0a|e|20|HTTP/1.1"; rawbytes; content:!"User-Agent|3a|"; nocase; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003432; classtype:trojan-activity; sid:2003432; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Nukebot Checkin"; flow:established,to_server; content:"POST "; rawbytes; depth:5; uricontent:"/script.php?"; content:!"User-Agent|3a|"; nocase; pcre:"/\/script\.php?\d{8}/Ui"; content:"Kernel|3a|"; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=743; reference:url,doc.emergingthreats.net/2003433; classtype:trojan-activity; sid:2003433; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Spambot (often Tibs) Post-Infection Checkin"; flow:established,to_server; uricontent:"/access.php?"; nocase; uricontent:"w="; nocase; uricontent:"&a="; nocase; content:"|0d 0a|Host|3a| "; pcre:"/Host\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; content:"|0d 0a|Cache-Control|3a| no-cache|0d 0a|"; content:!"|0d 0a|User-Agent|3a| "; reference:url,doc.emergingthreats.net/2008174; classtype:trojan-activity; sid:2008174; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User-Agent Detected (Windows+NT)"; flow:established,to_server; content:"User-Agent|3a| Windows+NT"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008600; classtype:trojan-activity; sid:2008600; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Torpig Ping-Pong Keepalives Outbound"; flow:to_server; dsize:<20; content:"PONG |3a|"; depth:6; reference:url,doc.emergingthreats.net/2010824; classtype:trojan-activity; sid:2010824; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Torpig Ping-Pong Keepalives Inbound"; flow:from_server; dsize:<20; content:"PING |3a|"; depth:6; reference:url,doc.emergingthreats.net/2010825; classtype:trojan-activity; sid:2010825; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED B0tN3t IRCbotnet"; flow:from_server,established; content:"|3a|"; offset:0; depth:1; content:"B0tN3t"; within:32; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; reference:url,en.wikipedia.org/wiki/Botnet; reference:url,doc.emergingthreats.net/2007672; classtype:misc-activity; sid:2007672; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 1)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; reference:url,doc.emergingthreats.net/2006910; classtype:trojan-activity; sid:2006910; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED perlb0t/w0rmb0t Response (Case 3)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02|"; content:"|02|"; within: 32; pcre:"/\x3A\x02(Alvo dos Pacotes|Conectando-se em|M.dia de envio|Tempo.*|Total .*)\x02/i"; reference:url,doc.emergingthreats.net/2006912; classtype:trojan-activity; sid:2006912; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET !6666:7000 -> $HOME_NET any (msg:"ET DELETED IRC Name response on non-standard port"; flow: to_client,established; dsize:<128; content:"|3a|"; depth:1; content:" 302 "; content:"=+"; content:"@"; reference:url,doc.emergingthreats.net/bin/view/Main/2000346; classtype:trojan-activity; sid:2000346; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kaiten IRCbotnet login"; flow:to_server,established; content:"NICK|20|"; depth:5; content:"USER|20|"; within:32; content:"localhost|20|localhost|20 3A|"; within:32; pcre:"/NICK\x20\S+\x0AUSER\x20\S+localhost\x20localhost\x20\x3A/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007621; classtype:trojan-activity; sid:2007621; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> any any (msg:"ET DELETED Pitbull IRCbotnet Response"; flow:established; content:"PRIVMSG|20|"; content:"|3A|"; within:32; content:"4"; within:5; content:"12"; within:5; content:"|3a|"; within:5; pcre:"/\x3a.4\x7c.12.\x3a.4/"; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007624; classtype:trojan-activity; sid:2007624; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Suspicious User Agent Maxthon"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Maxthon"; http_header; reference:url,doc.emergingthreats.net/2011118; classtype:trojan-activity; sid:2011118; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3; metadata:created_at 2011_10_19, updated_at 2011_10_19;) #alert tcp $HOME_NET any -> any 6667 (msg:"ET DELETED Likely Botnet Activity"; flow:to_server,established; content:"PRIVMSG|20|"; depth:8; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; reference:url,doc.emergingthreats.net/bin/view/Main/2001620; classtype:string-detect; sid:2001620; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible Redirection to Unknown Exploit Pack"; flow:established,to_client; content:"document.write|28|unescape|28 22|%3Cscript src=|27 22 20 2B 20|"; nocase; reference:url,www.kahusecurity.com/2011/malware-infection-from-new-exploit-pack/; classtype:misc-attack; sid:2013804; rev:4; metadata:created_at 2011_10_25, updated_at 2011_10_25;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Lighty Variant or UltimateDefender POST"; flow:established,to_server; content:"POST"; http_method; content:".php"; content:"gd="; content:"&affid="; content:"&subid="; content:"&prov="; nocase; fast_pattern; reference:url,doc.emergingthreats.net/2008784; classtype:trojan-activity; sid:2008784; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET DELETED Unknown Malware Keepalive"; flow:established,to_server; content:"keepalive"; nocase; depth:9; pcre:"/keepalive([0-9]{4}|\x7c[0-9]{4})/i"; threshold: type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2012409; rev:3; metadata:created_at 2011_03_02, updated_at 2011_03_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin 1"; flow:established,to_server; content:"/WebIpc.asp?UID="; http_uri; content:"&NAME="; http_uri; content:"&mode="; http_uri; classtype:trojan-activity; sid:2013370; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Trojan Checkin 2"; flow:established,to_server; content:"/link32.asp?SID="; http_uri; content:"&UID="; http_uri; content:"&MID="; http_uri; classtype:trojan-activity; sid:2013371; rev:3; metadata:created_at 2011_08_05, updated_at 2011_08_05;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; http_header; classtype:bad-unknown; sid:2013836; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Banker.OT Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"praquem="; http_client_body; fast_pattern; content:"&titulo="; http_client_body; content:"&texto="; http_client_body; reference:url,doc.emergingthreats.net/2007823; classtype:trojan-activity; sid:2007823; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole obfuscated Javascript padded charcodes 25"; flow:established,from_server; content:"75"; depth:500; content:"86"; within:4; content:"74"; within:4; content:"92"; within:4; content:"84"; within:4; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013950; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_11_23, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spamblockerutility.com-Hotbar User Agent (sbu-hb-)"; flow:to_server,established; content:"sbu-hb-"; http_header; pcre:"/User-Agent\x3a[^\n]+sbu-hb-/i"; reference:url,doc.emergingthreats.net/2003363; classtype:trojan-activity; sid:2003363; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL DELETED cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:2100320; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DELETED EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:2100314; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DELETED EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:2100303; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Hiloti loader receiving payload URL"; flow:established,from_server; content:"|0d 0a 0d 0a|20|0d 0a|http|3a|//"; classtype:trojan-activity; sid:2012515; rev:5; metadata:created_at 2011_03_16, updated_at 2011_03_16;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus POST Request to CnC"; flow:established,to_server; content:"POST"; http_method; content:" HTTP/1.1|0d 0a|Accept|3a| */*|0d 0a|User-Agent|3a| Mozilla"; fast_pattern; content:"|0d 0a|Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0d 0a|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0d 0a 0d 0a|"; distance:0; content:!"Content-Type|3a| "; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011816; rev:16; metadata:created_at 2010_10_14, updated_at 2010_10_14;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED TROJAN SEO HTTP REFERER landing capture rewrite, likely Fake AV"; flow:established,to_server; content:"GET"; http_method; content:"|0d 0a|Referer|3a| "; content:"search?"; nocase; within:50; content:"q="; nocase; within:100; uricontent:".com"; nocase; pcre:"/\/[a-z]+\/[a-z0-9]{120,}\/[a-z0-9]+\/.+\.com$/U"; reference:url,doc.emergingthreats.net/2011066; classtype:trojan-activity; sid:2011066; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Trojan Dropper User-Agent Firefox/3.6.3"; flow:established,to_server; content:"User-Agent|3A| Firefox/3.6.3"; http_header; classtype:trojan-activity; sid:2013341; rev:3; metadata:created_at 2011_08_02, updated_at 2011_08_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Scalaxy exploit kit binary download request"; flow:established,to_server; content:"/"; http_uri; offset:2; depth:3; content:"/"; http_uri; within:3; urilen:37; pcre:"/\/[a-z]\/[0-9]\/[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2014026; rev:1; metadata:created_at 2011_12_12, updated_at 2011_12_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Altnet PeerPoints Manager Traffic User-Agent (Peer Points)"; flow: established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"Peer Points"; http_header; within:150; pcre:"/User-Agent\:[^\n]+Peer Points/iH"; reference:url,doc.emergingthreats.net/2001640; classtype:policy-violation; sid:2001640; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (BlueSky)"; flow:to_server,established; content:"User-Agent|3a| BlueSky|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011084; classtype:trojan-activity; sid:2011084; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (GM Login)"; flow:to_server,established; content:"User-Agent|3a| GM Login|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011273; classtype:trojan-activity; sid:2011273; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED User-Agent (MSIE XPSP2)"; flow:to_server,established; content:"MSIE XPSP2"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2003200; classtype:trojan-activity; sid:2003200; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Spyaxe Spyware User-Agent (spyaxe)"; flow:to_server,established; content:" spyaxe "; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2002807; classtype:trojan-activity; sid:2002807; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; content:!"|0d 0a|MZ"; classtype:trojan-activity; sid:2014019; rev:4; metadata:created_at 2011_12_09, updated_at 2011_12_09;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zango-Hotbar User-Agent (zbu-hb-)"; flow:to_server,established; content:"zbu-hb-"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+zbu-hb-/Hi"; reference:url,doc.emergingthreats.net/2003305; classtype:trojan-activity; sid:2003305; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> any any (msg:"ET DELETED Suspicious User-Agent (asp2009)"; flow: established, to_server; content:"User-Agent|3a| asp2009|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=6cad864a439da7bbd6f1cec941cca72b; reference:url,doc.emergingthreats.net/2010136; classtype:trojan-activity; sid:2010136; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown checkin"; flow:established,to_server; content:"POST"; http_method; content:"/c.php"; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0|3b| |0d 0a|"; http_header; classtype:trojan-activity; sid:2013803; rev:5; metadata:created_at 2011_10_25, updated_at 2011_10_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Searchmeup Spyware Install (toolbar)"; flow: to_server,established; content:"/dkprogs/toolbar.txt"; http_uri; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; classtype:trojan-activity; sid:2001473; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HSN.com Toolbar Spyware User-Agent (HSN)"; flow:to_server,established; content:"User-Agent|3a| "; nocase; http_header; content:"HSN"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+HSN/iH"; reference:url,doc.emergingthreats.net/2003495; classtype:trojan-activity; sid:2003495; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Wild Tangent Agent User-Agent (WildTangent)"; flow: to_server,established; content:"WildTangent"; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Wildtangent/iH"; reference:url,doc.emergingthreats.net/2001639; classtype:trojan-activity; sid:2001639; rev:30; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; metadata: former_category CURRENT_EVENTS; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_22, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 3"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014051; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_30, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_30, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Likely Flash exploit download request score.swf"; flow:established,to_server; content:"/score.swf"; http_uri; metadata: former_category CURRENT_EVENTS; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014053; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_30, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Serving PDF - Possible hostile content (PDF)"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx"; depth:300; content:"%PDF-"; within:300; threshold:type limit, seconds 60, count 10, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2009076; classtype:bad-unknown; sid:2009076; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Server in use - Often Hostile Traffic"; flow:established,from_server; content:"|0d 0a|Server|3a| nginx"; nocase; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008054; classtype:bad-unknown; sid:2008054; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED FakeAV Served To Client"; flow:established,to_client; content:"HTTP/1"; depth:6; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; content:"|0D 0A|Set-Cookie|3a| ds=1|0D 0A|"; nocase; reference:url,doc.emergingthreats.net/2011221; classtype:trojan-activity; sid:2011221; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED MALVERTISING trafficbiztds.com - client receiving redirect to exploit kit"; flow:established,to_client; content:"domain=trafficbiztds.com"; http_cookie; content:!"google.com"; classtype:bad-unknown; sid:2011469; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Nginx Serving EXE/DLL File Often Malware Related"; flow:established,to_client; content:"Server|3a| nginx"; nocase; fast_pattern; content:"MZ"; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; classtype:misc-activity; sid:2012195; rev:3; metadata:created_at 2011_01_17, updated_at 2011_01_17;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Dictcn Trojan Downloader Node Server Type"; flow:established,to_client; content:"Server|3A| Dict/"; fast_pattern:only; classtype:trojan-activity; sid:2013326; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2011_07_27, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; content:"MZ"; isdataat:80,relative; content:"PE"; distance:0; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013437; rev:5; metadata:created_at 2011_08_19, updated_at 2011_08_19;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; nocase; content:"MZ"; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:3; metadata:created_at 2011_08_22, updated_at 2011_08_22;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering PDF Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:"|0d 0a 0d 0a|%PDF-"; metadata: former_category CURRENT_EVENTS; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:attempted-user; sid:2013960; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_11_23, malware_family Blackhole, updated_at 2018_01_25;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; content:" $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?doit Download Secondary Request"; flow:established,to_server; content:".php?doit"; http_uri; pcre:"/\.php\?doit[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013788; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_10_20, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 2"; flow:established,to_server; content:"/2ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013786; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_10_20, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 1-7 PDF exploit download request 2"; flow:established,to_server; content:"/1ddfp.php?f="; http_uri; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013787; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_10_20, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby Download Secondary Request"; flow:established,to_server; content:".php?t"; http_uri; pcre:"/\.php\?t[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2012401; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_02_28, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit"; flow:established,to_server; content:"/pch.php?f="; http_uri; pcre:"/pch\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013548; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_08, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013549; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_08, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_13, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?n Download Secondary Request"; flow:established,to_server; content:".php?n"; http_uri; pcre:"/\.php\?n[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013665; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_18, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?page Download Secondary Request"; flow:established,to_server; content:".php?page"; http_uri; pcre:"/^[^?#]+?\.php\?page[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013666; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_18, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?v Download Secondary Request"; flow:established,to_server; content:".php?v"; http_uri; pcre:"/\.php\?v[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013667; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_18, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013363; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_08_04, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_01_04, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Obfuscated Javascript Often Used in the Blackhole Exploit Kit 3"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|"; within:500; content:""; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5; metadata:created_at 2012_05_17, updated_at 2012_05_17;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:5; metadata:created_at 2012_08_28, updated_at 2012_08_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; content:"|0d 0a 0d 0a|PK"; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:4; metadata:created_at 2012_08_28, updated_at 2012_08_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3; metadata:created_at 2012_08_22, updated_at 2012_08_22;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"Loading...!"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016024; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_12_12, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; content:".php?"; http_uri; content:"uid="; http_uri; content:"&gid="; http_uri; content:"&cid="; http_uri; content:"&rid="; http_uri; content:"&sid="; http_uri; reference:url,doc.emergingthreats.net/2008143; classtype:trojan-activity; sid:2008143; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/ngen/controlling/"; fast_pattern:only; http_uri; content:".php"; http_uri; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015797; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_12, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.boCheMan-A/Dexter"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:5; metadata:created_at 2012_10_06, updated_at 2012_10_06;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Kazy/Kryptor/Cycbot Trojan Checkin 3"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?pr="; fast_pattern; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?pr=/U"; classtype:trojan-activity; sid:2013866; rev:6; metadata:created_at 2011_11_07, updated_at 2011_11_07;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Skill.gk User-Agent"; flow:established,to_server; content:"|3b 20 3b 20|"; http_user_agent; content:"MSIE"; http_user_agent; classtype:trojan-activity; sid:2016074; rev:4; metadata:created_at 2012_12_21, updated_at 2012_12_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; classtype:trojan-activity; sid:2001508; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED FakeAV Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/?affid="; depth:8; http_uri; content:"&promo_type="; http_uri; content:"&promo_opt="; http_uri; pcre:"/^\/\?affid=\d+&promo_type=\d+&promo_opt=\d+$/U"; reference:md5,527e115876d0892c9a0ddfc96e852a16; classtype:trojan-activity; sid:2016075; rev:3; metadata:created_at 2012_12_21, updated_at 2012_12_21;) #alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET DELETED DNS Reply Sinkhole - zeus.redheberg.com - 95.130.14.32"; content:"|00 01 00 01|"; content:"|00 04 5f 82 0e 20|"; distance:4; within:6; classtype:trojan-activity; sid:2016105; rev:3; metadata:created_at 2012_12_27, updated_at 2012_12_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible JKDDOS download b.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/b.exe"; nocase; http_uri; reference:url,asert.arbornetworks.com/2011/03/jkddos-ddos-bot-with-an-interest-in-the-mining-industry; classtype:trojan-activity; sid:2012466; rev:3; metadata:created_at 2011_03_10, updated_at 2011_03_10;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED pamdql/Sweet Orange delivering hostile XOR trojan payload from robots.php"; flow:established,to_server; content:"/robots.php?"; http_uri; classtype:trojan-activity; sid:2016092; rev:3; metadata:created_at 2012_12_27, updated_at 2012_12_27;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Jan 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy"; within:300; content:"Ojj"; within:200; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016242; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_21, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 1"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/start.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016257; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 2"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/setup.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016258; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 3"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/search.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016259; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 4"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016260; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 5"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/login.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016261; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 6"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/main.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016262; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 7"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/welcome.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016263; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 8"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/file.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016264; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 10"; flow:to_server,established; content:"GET"; http_method; urilen:9; content:"/home.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016266; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 11"; flow:to_server,established; content:"GET"; http_method; urilen:11; content:"/online.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016267; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 12"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/install.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016268; rev:3; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Linux/SSHDoor.A User Login CnC Beacon"; flow:established,to_server; content:"sid="; http_uri; content:"|3A|"; http_uri; content:"&uname="; http_uri; reference:url,blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords; classtype:trojan-activity; sid:2016315; rev:3; metadata:created_at 2013_01_30, updated_at 2013_01_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014189; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_06, malware_family Blackhole, updated_at 2018_01_25;) #alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"ET DELETED Ranky or variant backdoor communication ping"; dsize:<6; reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; reference:url,www.iss.net/threats/W32.Trojan.Ranky.FV.html; classtype:trojan-activity; sid:2002728; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> 212.26.42.47 9090 (msg:"ET DELETED Possible ProFTPD Backdoor Initiate Attempt"; flow:to_server; reference:url,xorl.wordpress.com/2010/12/02/news-proftpd-owned-and-backdoored/; reference:url, sourceforge.net/mailarchive/message.php?msg_name=alpine.DEB.2.00.1012011542220.12930%40familiar.castaglia.org; reference:url,slashdot.org/story/10/12/02/131214/ProFTPDorg-Compromised-Backdoor-Distributed; classtype:trojan-activity; sid:2011992; rev:3; metadata:created_at 2010_12_02, updated_at 2010_12_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/afma_load_ads.js"; nocase; http_uri; fast_pattern; content:"pagead2.googlesyndication.com"; http_header; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016386; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare -Task Killer Checkin 3"; flow:established,to_server; content:"GET"; http_method; content:"/m/gne/suggest?q="; nocase; http_uri; fast_pattern; content:"SID=DQAAAKQAAAAHga"; http_cookie; reference:md5,745513a53af2befe3dc00d0341d80ca6; classtype:trojan-activity; sid:2016387; rev:4; metadata:created_at 2013_02_08, updated_at 2013_02_08;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Possible g01pack Jar download"; flow:established,from_server; flowbits:isset,ET.g01pack.Java.Image; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; classtype:trojan-activity; sid:2016321; rev:3; metadata:created_at 2013_01_31, updated_at 2013_01_31;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Android/DNightmare - Task Killer Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/pagead/ads?rsp="; nocase; http_uri; fast_pattern; content:"msid=com.droiddream.advancedtaskkiller1"; nocase; http_uri; reference:url,anubis.iseclab.org/index.php?action=result&task_id=4fdbf09e9bb20824658cfd45b63a309e; classtype:trojan-activity; sid:2016385; rev:3; metadata:created_at 2013_02_08, updated_at 2013_02_08;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Skype VOIP Reporting Install"; flow: to_server,established; content:"/ui/"; nocase; http_uri; content:"/installed"; http_uri; nocase; reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-039-04.pdf; reference:url,doc.emergingthreats.net/2001596; classtype:policy-violation; sid:2001596; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Featured-Results.com Agent Reporting Data"; flow: to_server,established; content:"action=any"; nocase; http_uri; content:"country="; nocase; http_uri; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; classtype:trojan-activity; sid:2001293; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; http_method; content:"POST|2C|"; fast_pattern; nocase; depth:100; content:"ACCEPT|3A|"; nocase; within:300; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; reference:url,doc.emergingthreats.net/2007748; classtype:trojan-activity; sid:2007748; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"google.vc"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; classtype:trojan-activity; sid:2002765; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Unknown Exploit Kit Payload Request"; flow:established,to_server; content:"/download.php?e="; http_uri; fast_pattern:only; pcre:"/\.php\?e=[^&]+?$/U"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2016522; rev:2; metadata:created_at 2013_03_04, updated_at 2018_08_20;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{doc[|22|body|22|]^=2}catch("; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016524; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch Body Style 2 Specific - 4/3/2013"; flow:established,to_client; file_data; content:"try{document.body^=2}catch("; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016525; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole V2 Exploit Kit Landing Page Try Catch False Specific - 4/3/2013"; flow:established,to_client; file_data; content:"}try{}catch("; distance:0; content:"=false|3B|}"; within:30; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016526; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_04, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Stabuniq Observed C&C POST Target /rss.php"; flow:to_server,established; content:"POST"; http_method; content:"/rss.php"; http_uri; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-121809-2437-99&tabid=2; reference:url,contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html; classtype:trojan-activity; sid:2016131; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|"; http_header; content:"id="; http_client_body; depth:3; content:"&varname="; distance:0; http_client_body; content:"&comp="; distance:0; http_client_body; content:"&src="; distance:0; http_client_body; reference:url,contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html; reference:url,www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers; classtype:trojan-activity; sid:2016096; rev:4; metadata:created_at 2012_12_27, updated_at 2012_12_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Ponik.Downloader Randomware Download"; flow:established,to_server; urilen:>60; content:"-.php"; fast_pattern; http_uri; content:"User-Agent|3A| Mozilla/5.0 (Windows NT 6.1|3B| WOW64) AppletWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11|0D 0A|"; http_header; pcre:"/\x2F[a-z\x2D]{60,120}.+\x2D\x2Ephp$/U"; reference:url,www.symantec.com/connect/blogs/fake-adobe-flash-update-installs-ransomware-performs-click-fraud; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-110915-5758-99; classtype:trojan-activity; sid:2016548; rev:3; metadata:created_at 2013_03_06, updated_at 2013_03_06;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"h"; depth:1; http_client_body; content:"="; within:12; http_client_body; content:"&p"; distance:24; within:2; http_client_body; pcre:"/^h[a-z0-9]{0,10}\x3d[a-f0-9]{24}&p[a-z0-9]{0,10}\x3d[a-z0-9]{1,11}&i/P"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016562; rev:7; metadata:created_at 2013_03_12, updated_at 2018_06_18;) #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL DELETED dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102726; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 9"; flow:to_server,established; content:"GET"; http_method; urilen:12; content:"/default.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016265; rev:4; metadata:created_at 2013_01_23, updated_at 2013_01_23;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32/Kelihos.F Checkin 13"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/index.htm"; fast_pattern:only; http_uri; content:"Host|3a| "; depth:6; http_header; content:"|0d 0a|Content-Length|3a| "; distance:7; within:26; http_header; content:"|0d 0a|User-Agent|3a| "; distance:3; within:14; http_header; pcre:"/^Host\x3a (\d{1,3}\.){3}\d{1,3}\r\nContent-Length\x3a \d{3}\r\nUser-Agent\x3a [^\r\n]+?\r\n$/H"; reference:md5,56e0e87e64299f5bb91d2183bbff7cfa; classtype:trojan-activity; sid:2016281; rev:4; metadata:created_at 2013_01_25, updated_at 2013_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Asprox Spam Module CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/index.php"; http_uri; content:"Content-Disposition|3A| form-data|3B| name=|22|sid|22|"; http_client_body; content:"Content-Disposition|3A| form-data|3B| name=|22|up|22|"; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|ping|22|"; fast_pattern:32,11; http_client_body; distance:0; content:"Content-Disposition|3A| form-data|3B| name=|22|guid|22|"; distance:0; http_client_body; reference:url,www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016561; rev:3; metadata:created_at 2013_03_12, updated_at 2013_03_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; content:"/pr.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; classtype:trojan-activity; sid:2001486; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:23; content:"/q.php"; offset:17; http_uri; pcre:"/^\/[0-9a-f]{16}\/q\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016563; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_12, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 32-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:40; content:"/ff.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016722; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 16-hex/ff.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:24; content:"/ff.php"; offset:17; depth:7; http_uri; pcre:"/^\/[0-9a-f]{16}\/ff\.php$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016724; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_04, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Empty HTTP Content Type Server Response - Potential CnC Server"; flow:established,to_client; content:"Content-Type|3A 20 0D 0A|"; http_header; classtype:bad-unknown; sid:2016712; rev:3; metadata:created_at 2013_04_03, updated_at 2013_04_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?aid="; fast_pattern; nocase; http_uri; content:"&pid="; http_uri; content:"&kind="; nocase; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/2009826; classtype:trojan-activity; sid:2009826; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008110; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008108; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET DELETED Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008103; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET DELETED Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; classtype:trojan-activity; sid:2008107; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -2 Mar 13 2013"; flow:established,from_server; file_data; content:"0156,0142,0156,0142,073,0171"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016636; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_20, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -4 Mar 22 2013"; flow:established,from_server; file_data; content:"0154,0140,0154,0140,071,0167"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016661; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_22, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -5 Mar 26 2013"; flow:established,from_server; file_data; content:"0153,0137,0153,0137,070,0166"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016678; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_27, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal -7 Mar 30 2013"; flow:established,from_server; file_data; content:"0151,0135,0151,0135,066,0164"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016686; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_01, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole/Cool plugindetect in octal Mar 6 2013"; flow:established,from_server; file_data; content:"0160,0144,0160,0144,075,0173"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016544; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_03_06, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:6; metadata:created_at 2012_08_16, updated_at 2012_08_16;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Nymaim Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/nymain/"; http_uri; fast_pattern:only; content:"/index.php"; http_uri; content:"filename="; http_client_body; content:"&data="; http_client_body; reference:md5,b904ce55532582a6ea516399d8e4b410; classtype:trojan-activity; sid:2016752; rev:3; metadata:created_at 2012_12_12, updated_at 2012_12_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole 2 Landing Page (9)"; flow:to_server,established; content:"/closest/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/^\/closest\/(([a-z]{1,16}[-_]){1,4}[a-z]{1,16}|[a-z0-9]{20,}+)\.php/U"; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016755; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_12, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (1)"; flow:established,to_server; urilen:>40; content:".js"; http_uri; pcre:"/^\/[a-z0-9A-Z]{25,35}\/(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+(_[e7uxMhp1Kt]+)?|a2\.\.)Z(([e7uxMhp1Kt]+Q){3}[e7uxMhp1Kt]+|a2\.\.)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:9; metadata:created_at 2012_11_15, updated_at 2012_11_15;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SofosFO - Landing Page"; flow:established,to_client; file_data; content:"BillyBonnyGetDepolo"; classtype:trojan-activity; sid:2016241; rev:4; metadata:created_at 2013_01_21, updated_at 2013_01_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible second stage landing page (2)"; flow:established,to_server; urilen:>25; content:"/highlands.js"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016046; rev:6; metadata:created_at 2012_12_17, updated_at 2012_12_17;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015006; rev:6; metadata:created_at 2012_07_03, updated_at 2012_07_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015007; rev:9; metadata:created_at 2012_07_03, updated_at 2012_07_03;) #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015009; rev:3; metadata:created_at 2012_07_03, updated_at 2012_07_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:4; metadata:created_at 2012_10_01, updated_at 2012_10_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:3; metadata:created_at 2012_10_01, updated_at 2012_10_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible Neutrino EK Posting Plugin-Detect Data April 12 2013"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/c"; http_uri; depth:2; pcre:"/^\/c[a-z0-9]+$/U"; content:"XMLHttpRequest"; nocase; http_header; fast_pattern:only; content:"p"; depth:1; http_client_body; pcre:"/^p[a-z0-9]{0,20}\x3d[a-z0-9]{1,20}&i[a-z0-9]{0,20}\x3d%[0-9A-F]{2}/P"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016753; rev:10; metadata:created_at 2013_04_12, updated_at 2018_06_18;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Reversed Applet Observed in Sakura/Blackhole Landing"; flow:established,from_server; file_data; content:"eulav "; nocase; fast_pattern:only; content:"eman "; nocase; content:"marap<"; nocase; within:500; content:"telppa"; within:500; nocase; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016729; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_04_05, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED CoolEK Payload Download (8)"; flow:established,to_server; content:"/getqq.jpg"; http_uri; nocase; fast_pattern:only; pcre:"/getqq\.jpg$/U"; classtype:trojan-activity; sid:2016782; rev:15; metadata:created_at 2013_04_23, updated_at 2013_04_23;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole MapYandex.class malicious jar"; flow:established,from_server; content:"|0d 0a|Content-Type|3a 20|application/java-archive|0d 0a|"; content:"MapYandex.class"; fast_pattern:only; content:"PK"; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013554; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_09, malware_family Blackhole, updated_at 2018_01_25;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:""; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2013553; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_09, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Likely Blackhole Exploit Kit Driveby ?b Download Secondary Request"; flow:established,to_server; content:".php?b"; http_uri; pcre:"/\.php\?b[a-z0-9]{1,4}=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013664; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_09_18, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit hostile PDF qwe123"; flow:established,from_server; file_data; content:"/Kids [1 0 R]/"; content:"|0d 0a 09 09| $HOME_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014412; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_22, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole client=done Cookie Present"; flow:established,to_server; content:"client=done"; http_header; content:"client=done"; http_cookie; depth:11; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_22, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v1"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|4b 69 64 73 5b 32 38 20 30 20 52 5d 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013991; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_06, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole hostile PDF v2"; flow:established,from_server; file_data; content:"|25 50 44 46 2d 31 2e 36|"; content:"|20 2f 4b 69 64 73 20 5b 31 20 30 20 52 5d 20 2f 54 79 70 65 2f 50 61 67 65 73 3e 3e|"; distance:0; content:"javascript"; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2013992; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2011_12_06, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2014195; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_02_06, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED DRIVEBY Blackhole - Landing Page Requested - /Home/index.php"; flow:to_server,established; urilen:15; content:"/Home/index.php"; http_uri; flowbits:set,et.exploitkitlanding; flowbits:noalert; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2014441; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_03_29, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java Applet with Obfuscated URL 2"; flow:established,from_server; file_data; content:" $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (1)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|22 2a|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016112; rev:3; metadata:created_at 2012_12_28, updated_at 2012_12_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Sweet Orange Java obfuscated binary (2)"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"|3d 3b|"; within:2; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016143; rev:3; metadata:created_at 2013_01_03, updated_at 2013_01_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015161; rev:3; metadata:created_at 2012_07_12, updated_at 2012_07_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2015863; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_11_02, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_user_agent; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_25, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_19, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit encoded PluginDetect Jan 15 2013"; flow:established,to_client; file_data; content:"80|3A|!08|3A|!!7|3A|!03|3A|!05|3A|!!0|3A|68|3A|!0!|3A|!!6|3A|!0!|3A|99|3A|!!6"; classtype:trojan-activity; sid:2016213; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2013_01_15, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; within:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_10_25, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_06, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_09_12, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; content:"applet"; content:"0xb|3a|0x9|3a|0x9|3a|0x4|3a|0x1f|3a|0x31|3a|0x31|3a|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_23, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; content:"|3c|script"; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_23, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:trojan-activity; sid:2015648; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_21, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; content:"=0|3B|i $HOME_NET any (msg:"ET DELETED Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_13, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; content:".replace(/hwehes/g"; classtype:trojan-activity; sid:2015592; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; content:"|0d 0a 0d 0a 3C|html|3E 3C|body|3E 3C|script|3E|"; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_08, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; content:"

Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; classtype:trojan-activity; sid:2015582; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; file_data; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:trojan-activity; sid:2015579; rev:10; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_08_07, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Applet Structure"; flow:established,to_client; file_data; content:"<|2F|script><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_23, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_23, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; file_data; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_13, malware_family Blackhole, updated_at 2018_01_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; classtype:trojan-activity; sid:2015476; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Blackhole, tag Exploit_Kit, signature_severity Critical, created_at 2012_07_13, malware_family Blackhole, updated_at 2018_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:""; pcre:"/^\s*?"; nocase; distance:0; content:""; nocase; distance:0; metadata: former_category CURRENT_EVENTS; classtype:bad-unknown; sid:2025227; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_05_25, updated_at 2018_01_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Successful Hostinger Generic Phish Jun 09 2017"; flow:to_server,established; content:"POST"; http_method; content:"wb_form_id="; nocase; depth:11; http_client_body; fast_pattern; content:"&message=&wb_input_0="; nocase; distance:8; within:21; http_client_body; content:"&wb_input_0="; nocase; http_client_body; distance:0; content:"&wb_input_1="; nocase; http_client_body; distance:0; content:"&wb_input_1="; nocase; http_client_body; distance:0; metadata: former_category INFO; classtype:trojan-activity; sid:2024375; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_06_09, updated_at 2017_06_09;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious HTML Hex Obfuscated Title - Possible Phishing Landing Jun 28 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:""; nocase; content:!""; nocase; within:20; content:"|26 23|x"; within:20; content:"|3b 26 23|x"; distance:2; within:4; fast_pattern; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:"|3b 26 23|x"; distance:2; within:4; content:""; nocase; distance:0; metadata: former_category INFO; classtype:trojan-activity; sid:2024432; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_06_28, updated_at 2017_06_28;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO HTTP POST to Free Webhost - Possible Successful Phish (site40 . net) Jul 18 2017"; flow:to_server,established; content:"POST"; http_method; content:"site40.net|0d 0a|"; http_header; fast_pattern; metadata: former_category INFO; classtype:trojan-activity; sid:2024470; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_07_17, updated_at 2017_07_21;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Phishery Phishing Tool - Default SSL Certificate Observed"; flow:established,from_server; content:"|55 04 03|"; content:"|08|go-phish"; fast_pattern; distance:1; within:9; metadata: former_category INFO; reference:url,github.com/ryhanson/phishery; classtype:trojan-activity; sid:2024505; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Major, created_at 2017_07_28, updated_at 2017_07_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO IE7UA No Cookie No Referer"; flow:to_server,established; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; fast_pattern:36,10; content:!"Referer|3a|"; http_header; content:!"|0d 0a|Cookie|3a|"; flowbits:set,et.IE7.NoRef.NoCookie; flowbits:noalert; classtype:bad-unknown; sid:2023670; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_19, malware_family Trojan_Kwampirs, updated_at 2016_12_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adilbo HTML Encoder Observed"; flow:established,to_client; file_data; content:"|2f 2a 20 61 64 69 6c 62 6f 20 48 54 4d 4c 20 45 6e 63 6f 64 65 72|"; fast_pattern:2,20; content:"*|20 20|Checksum|3a 20|927c770095e0daa48298343b8fd14624"; within:200; metadata: former_category INFO; classtype:policy-violation; sid:2024763; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_23, updated_at 2017_09_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Darkwave Popads Pop Under Redirect"; flow:established,to_client; file_data; content:"|2f 2a 20 50 72 69 76 65 74 20 64 61 72 6b 76 2e 20 45 61 63 68 20 64 6f 6d 61 69 6e 20 69 73 20 32 68 20 66 6f 78 20 64 65 61 64 20 2a 2f|"; metadata: former_category INFO; classtype:policy-violation; sid:2024764; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_23, updated_at 2017_09_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Download of Embedded OpenType (EOT) File flowbit set"; flow:established,to_client; file_data; content:"|4c 50|"; offset:34; depth:2; flowbits:set,ET.EOT.Download; flowbits:noalert; metadata: former_category INFO; reference:url,www.w3.org/Submission/EOT/#FileFormat; classtype:misc-activity; sid:2024829; rev:2; metadata:affected_product Internet_Explorer, affected_product Mac_OSX, affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_10, performance_impact Low, updated_at 2017_10_10;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category INFO; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; classtype:protocol-command-decode; sid:2003281; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category INFO; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; classtype:protocol-command-decode; sid:2003268; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category INFO; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; classtype:protocol-command-decode; sid:2003269; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; metadata: former_category INFO; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; classtype:protocol-command-decode; sid:2003256; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; classtype:protocol-command-decode; sid:2003254; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; classtype:protocol-command-decode; sid:2003255; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; classtype:protocol-command-decode; sid:2003257; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; classtype:protocol-command-decode; sid:2003258; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; classtype:protocol-command-decode; sid:2003259; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; classtype:protocol-command-decode; sid:2003260; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; classtype:protocol-command-decode; sid:2003261; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; classtype:protocol-command-decode; sid:2003262; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; classtype:protocol-command-decode; sid:2003263; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; classtype:protocol-command-decode; sid:2003266; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; classtype:protocol-command-decode; sid:2003267; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; classtype:protocol-command-decode; sid:2003270; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; classtype:protocol-command-decode; sid:2003271; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; classtype:protocol-command-decode; sid:2003272; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; classtype:protocol-command-decode; sid:2003273; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; classtype:protocol-command-decode; sid:2003274; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; classtype:protocol-command-decode; sid:2003275; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; classtype:protocol-command-decode; sid:2003276; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; classtype:protocol-command-decode; sid:2003277; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; classtype:protocol-command-decode; sid:2003278; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; classtype:protocol-command-decode; sid:2003279; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET INFO SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; metadata: former_category MALWARE; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; classtype:protocol-command-decode; sid:2003280; rev:6; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO PUP/PUA OSSProxy HTTP Header"; flow:to_server,established; content:"X-OSSProxy|3a| OSSProxy"; http_header; threshold: type limit, count 5, seconds 300, track by_src; metadata: former_category MALWARE; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; classtype:policy-violation; sid:2001564; rev:12; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0+(compatible|3b|+MSIE+/"; http_header; fast_pattern:23,20; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2003530; classtype:trojan-activity; sid:2003530; rev:14; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO RelevantKnowledge Adware CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"X-OSSProxy|3a|"; fast_pattern:only; http_header; content:"&os="; http_uri; content:"&osmajorver="; http_uri; distance:0; content:"&osminorver="; http_uri; distance:0; content:"&osmajorsp="; http_uri; distance:0; content:"&lang="; http_uri; distance:0; content:"&country="; http_uri; distance:0; content:"&ossname="; http_uri; distance:0; content:"&brand="; http_uri; distance:0; content:"&bits="; http_uri; distance:0; metadata: former_category MALWARE; reference:md5,d93b888e08693119a1b0dd3983b8d1ec; classtype:trojan-activity; sid:2018174; rev:4; metadata:created_at 2014_02_25, updated_at 2017_10_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Browser Plugin Detect - Observed in Apple Phishing"; flow:to_server,established; urilen:10; content:"POST"; http_method; content:"/ping.html"; http_uri; content:".html?appIdKey="; http_header; content:"data=eyJwbHVnaW4i"; http_client_body; depth:17; fast_pattern; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/Pi"; metadata: former_category INFO; classtype:bad-unknown; sid:2024978; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_11_08, updated_at 2017_11_08;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; dns_query; content:".no-ip."; classtype:bad-unknown; sid:2013743; rev:4; metadata:created_at 2011_10_05, updated_at 2011_10_05;) alert http any any -> any any (msg:"ET INFO WinHttp AutoProxy Request wpad.dat Possible BadTunnel"; flow:established,to_server; content:"GET"; http_method; content:"/wpad.dat"; http_uri; fast_pattern; isdataat:!1,relative; reference:url,tools.ietf.org/html/draft-ietf-wrec-wpad-01; reference:url,ietf.org/rfc/rfc1002.txt; classtype:protocol-command-decode; sid:2022913; rev:3; metadata:created_at 2016_06_23, updated_at 2016_06_23;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; dns_query; content:".3322.org"; nocase; isdataat:!1,relative; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:7; metadata:created_at 2011_01_12, updated_at 2011_01_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; content:"Mozilla/4.0"; depth:11; fast_pattern; nocase; http_user_agent; isdataat:!1,relative; content:!"/CallParrotWebClient/"; http_uri; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http_raw_header; content:!"www.google.com"; http_host; content:!"secure.logmein.com"; http_host; content:!"weixin.qq.com"; http_host; content:!"slickdeals.net"; http_host; content:!"cloudera.com"; http_host; content:!"secure.digitalalchemy.net.au"; http_host; content:!".ksmobile.com"; http_host; content:!"gstatic.com"; http_host; content:!".cmcm.com"; http_host; content:!".deckedbuilder.com"; http_host; content:!".mobolize.com"; http_host; content:!"wq.cloud.duba.net"; http_host; metadata: former_category INFO; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:30; metadata:created_at 2010_07_30, updated_at 2017_12_01;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain"; dns_query; content:".dyndns."; nocase; classtype:misc-activity; sid:2012758; rev:5; metadata:created_at 2011_05_02, updated_at 2011_05_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_host; fast_pattern; content:!"checkip."; http_host; pcre:"/\.dyndns\.(biz|info|org|tv)$/W"; classtype:bad-unknown; sid:2013097; rev:8; metadata:created_at 2011_06_22, updated_at 2011_06_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.pw domain"; flow:established,to_server; content:".pw"; fast_pattern; http_host; isdataat:!1,relative; content:!"u.pw"; depth:4; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2016777; rev:12; metadata:created_at 2013_04_19, updated_at 2013_04_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Executable Download from dotted-quad Host"; flow:established,to_server; content:".exe"; http_uri; isdataat:!1,relative; nocase; content:"."; http_host; offset:1; depth:3; content:"."; http_host; within:4; content:"."; http_host; within:4; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/W"; http_request_line; content:".exe HTTP/1."; fast_pattern; classtype:trojan-activity; sid:2016141; rev:5; metadata:created_at 2013_01_03, updated_at 2013_01_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspected PUP/PUA User-Agent (OSSProxy)"; flow:established,to_server; content:"OSSProxy"; http_user_agent; threshold:type limit, count 2, seconds 300, track by_src; metadata: former_category MALWARE; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/2001562; classtype:policy-violation; sid:2001562; rev:35; metadata:created_at 2010_07_30, updated_at 2017_10_27;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain"; dns_query; content:".flnet.org"; nocase; isdataat:!1,relative; classtype:bad-unknown; sid:2014500; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net"; flow:established,to_server; content:".3322.net"; http_host; isdataat:!1,relative; classtype:misc-activity; sid:2014788; rev:7; metadata:created_at 2012_05_18, updated_at 2012_05_18;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.dtdns.net Domain"; dns_query; content:".dtdns.net"; nocase; isdataat:!1,relative; classtype:bad-unknown; sid:2014492; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.dtdns.net domain"; flow:to_server,established; content:".dtdns.net"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2013684; rev:4; metadata:created_at 2011_09_21, updated_at 2011_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns.net Domain"; flow:established,to_server; content:".dtdns.net"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2014493; rev:7; metadata:created_at 2012_04_05, updated_at 2012_04_05;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain"; dns_query; content:".myftp.biz"; nocase; isdataat:!1,relative; classtype:bad-unknown; sid:2013823; rev:3; metadata:created_at 2011_11_04, updated_at 2011_11_04;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8800.org"; dns_query; content:".8800.org"; isdataat:!1,relative; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014784; rev:6; metadata:created_at 2012_05_18, updated_at 2012_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com"; flow:established,to_server; content:".mooo.com"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2015634; rev:4; metadata:created_at 2012_08_16, updated_at 2012_08_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_host; pcre:"/(?:at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work)\.com/WR"; classtype:bad-unknown; sid:2013096; rev:5; metadata:created_at 2011_06_22, updated_at 2011_06_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; content:".no-ip.com"; http_host; fast_pattern; content:!"www.no-ip.com"; http_host; classtype:bad-unknown; sid:2013744; rev:9; metadata:created_at 2011_10_05, updated_at 2011_10_05;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to *.duckdns. Domain"; dns_query; content:".duckdns."; nocase; classtype:misc-activity; sid:2022918; rev:2; metadata:created_at 2016_06_27, updated_at 2016_06_27;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org"; dns_query; content:".8866.org"; isdataat:!1,relative; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:6; metadata:created_at 2011_04_28, updated_at 2011_04_28;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.3d-game.com Domain"; dns_query; content:".3d-game.com"; nocase; isdataat:!1,relative; classtype:bad-unknown; sid:2014478; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Hopto.org"; flow:established,to_server; content:".hopto.org"; http_host; fast_pattern; isdataat:!1,relative; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018216; rev:3; metadata:created_at 2014_03_04, updated_at 2014_03_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.osa.pl domain"; flow:established,to_server; content:".osa.pl"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2014037; rev:4; metadata:created_at 2011_12_22, updated_at 2011_12_22;) alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query to Free Hosting Domain (freevnn . com)"; dns_query; content:".freevnn.com"; nocase; isdataat:!1,relative; metadata: former_category INFO; reference:md5,18c1c99412549815bdb89c36316243a7; classtype:bad-unknown; sid:2024235; rev:3; metadata:deployment Perimeter, signature_severity Minor, created_at 2017_04_21, performance_impact Low, updated_at 2017_04_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Windows NT version 7 User-Agent"; flow:established,to_server; content:"Windows NT 7"; nocase; http_user_agent; fast_pattern; classtype:trojan-activity; sid:2015820; rev:4; metadata:created_at 2012_10_19, updated_at 2012_10_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUSPICIOUS .scr file download"; flow:established,to_server; content:".scr"; http_uri; isdataat:!1,relative; fast_pattern; content:!"kaspersky.com"; http_host; classtype:trojan-activity; sid:2018231; rev:5; metadata:created_at 2014_03_07, updated_at 2016_08_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.suroot.com Domain"; flow:established,to_server; content:".suroot.com"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2014511; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Connection To DDNS Domain Myvnc.com"; flow:established,to_server; content:".myvnc.com"; http_host; isdataat:!1,relative; reference:url,blogs.cisco.com/security/dynamic-detection-of-malicious-ddns/; reference:url,labs.umbrella.com/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/; classtype:bad-unknown; sid:2018213; rev:3; metadata:created_at 2014_03_04, updated_at 2014_03_04;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to a *.bbsindex.com Domain"; dns_query; content:".bbsindex.com"; nocase; isdataat:!1,relative; classtype:bad-unknown; sid:2014484; rev:5; metadata:created_at 2012_04_05, updated_at 2012_04_05;) alert dns $HOME_NET any -> any any (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com"; dns_query; content:".mooo.com"; nocase; isdataat:!1,relative; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2015633; rev:3; metadata:created_at 2012_08_16, updated_at 2012_08_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org"; flow:established,to_server; content:".3322.org"; http_host; isdataat:!1,relative; classtype:misc-activity; sid:2013213; rev:6; metadata:created_at 2011_07_06, updated_at 2011_07_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.top domain"; flow:established,to_server; content:".top"; fast_pattern; http_host; pcre:"/^(\x3a\d{1,5})?$/WR"; threshold:type limit, track by_src, count 1, seconds 30; reference:url,www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap; reference:url,www.spamhaus.org/statistics/tlds/; classtype:bad-unknown; sid:2023882; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_02_07, updated_at 2017_02_07;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Size Under 30K Size - Potentially Hostile"; flow:established,to_client; http_content_type; content:"application/java-archive"; depth:24; fast_pattern; http_content_len; byte_test:0,<=,30000,0,string,dec; file_data; content:"PK"; within:2; classtype:bad-unknown; sid:2017639; rev:7; metadata:created_at 2013_10_28, updated_at 2013_10_28;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Lets Encrypt Free SSL Cert Observed with IDN/Punycode Domain - Possible Phishing"; flow:established,from_server; tls_cert_subject; content:"xn--"; tls_cert_issuer; content:"O=Let's Encrypt"; metadata: former_category INFO; reference:url,isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/; reference:url,letsencrypt.org/about/; classtype:policy-violation; sid:2024227; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_04_19, updated_at 2017_04_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.sytes.net Domain"; flow:established,to_server; content:".sytes.net"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2018219; rev:7; metadata:created_at 2012_03_05, updated_at 2012_03_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 2"; flow:established,to_server; content:"POST"; http_method; content:" Firefox/"; nocase; http_user_agent; fast_pattern; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; http_header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Accept-Encoding"; content:!"Referer"; content:!"X-Requested-With"; nocase; metadata: former_category INFO; classtype:bad-unknown; sid:2018359; rev:3; metadata:created_at 2014_04_04, updated_at 2017_12_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download By Vulnerable Client"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"PK"; depth:2; classtype:trojan-activity; sid:2014473; rev:5; metadata:created_at 2012_04_04, updated_at 2012_04_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP Request to a *.tc domain"; flow:established,to_server; content:".tc"; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2013535; rev:5; metadata:created_at 2011_09_06, updated_at 2011_09_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible EXE Download From Suspicious TLD (.gdn) - set"; flow:established,to_server; content:".gdn"; http_host; fast_pattern; pcre:"/^(?:\x3a\d{1,5})?$/W"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2023458; rev:3; metadata:affected_product Any, attack_target Client_and_Server, signature_severity Minor, created_at 2016_10_27, updated_at 2017_10_12;) alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gdn Domain"; dns_query; content:".gdn"; nocase; isdataat:!1,relative; metadata: former_category DNS; classtype:bad-unknown; sid:2025098; rev:2; metadata:created_at 2017_12_02, updated_at 2017_12_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gdn Domain"; flow:established,to_server; content:"POST"; http_method; content:".gdn"; fast_pattern; http_host; isdataat:!1,relative; metadata: former_category INFO; classtype:bad-unknown; sid:2025097; rev:2; metadata:created_at 2017_12_02, updated_at 2017_12_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.gq domain"; flow:established,to_server; content:"POST"; http_method; content:".gq"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2025100; rev:1; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ga Domain"; flow:established,to_server; content:"POST"; http_method; content:".ga"; fast_pattern; http_host; isdataat:!1,relative; classtype:bad-unknown; sid:2025101; rev:1; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.ml Domain"; flow:established,to_server; content:"POST"; http_method; content:".ml"; fast_pattern; http_host; isdataat:!1,relative; metadata: former_category INFO; classtype:bad-unknown; sid:2025102; rev:1; metadata:created_at 2017_12_03, updated_at 2017_12_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO HTTP POST Request to Suspicious *.cf Domain"; flow:established,to_server; content:"POST"; http_method; content:".cf"; fast_pattern; http_host; isdataat:!1,relative; metadata: former_category INFO; classtype:bad-unknown; sid:2025103; rev:1; metadata:created_at 2017_12_03, updated_at 2017_12_07;) alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ga Domain"; dns_query; content:".ga"; nocase; isdataat:!1,relative; threshold: type limit, count 1, track by_src, seconds 120; metadata: former_category INFO; classtype:bad-unknown; sid:2025105; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .ml Domain"; dns_query; content:".ml"; nocase; isdataat:!1,relative; threshold: type limit, count 1, track by_src, seconds 120; metadata: former_category INFO; classtype:bad-unknown; sid:2025106; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .cf Domain"; dns_query; content:".cf"; nocase; isdataat:!1,relative; threshold: type limit, count 1, track by_src, seconds 120; metadata: former_category INFO; classtype:bad-unknown; sid:2025107; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert dns $HOME_NET any -> any any (msg:"ET INFO DNS Query for Suspicious .gq Domain"; dns_query; content:".gq"; nocase; isdataat:!1,relative; threshold: type limit, count 1, track by_src, seconds 120; metadata: former_category INFO; classtype:bad-unknown; sid:2025104; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ga) in TLS SNI"; flow:established,to_server; tls_sni; content:".ga"; isdataat:!1,relative; fast_pattern; nocase; threshold: type limit, count 1, track by_src, seconds 120; classtype:bad-unknown; sid:2025109; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gq) in TLS SNI"; flow:established,to_server; tls_sni; content:".gq"; isdataat:!1,relative; fast_pattern; nocase; threshold: type limit, count 1, track by_src, seconds 120; classtype:bad-unknown; sid:2025108; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.ml) in TLS SNI"; flow:established,to_server; tls_sni; content:".ml"; isdataat:!1,relative; fast_pattern; nocase; threshold: type limit, count 1, track by_src, seconds 120; classtype:bad-unknown; sid:2025110; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.cf) in TLS SNI"; flow:established,to_server; tls_sni; content:".cf"; isdataat:!1,relative; fast_pattern; nocase; threshold: type limit, count 1, track by_src, seconds 120; classtype:bad-unknown; sid:2025111; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Domain (*.gdn) in TLS SNI"; flow:established,to_server; tls_sni; content:".gdn"; isdataat:!1,relative; fast_pattern; nocase; threshold: type limit, count 1, track by_src, seconds 120; classtype:bad-unknown; sid:2025112; rev:2; metadata:created_at 2017_12_03, updated_at 2017_12_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPSEL File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".mipsel"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025122; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO MIPS File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".mips"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025123; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".arm"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025124; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO ARM7 File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".arm7"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025125; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO x86 File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".x86"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025126; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO m68k File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".m68k"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025127; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SPARC File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".sparc"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025128; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO POWERPC File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".powerpc"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025129; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO X86_64 File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".x86_64"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025130; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO SUPERH File Download Request from IP Address"; flow:established,to_server; content:"GET"; http_method; content:".superh"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}/W"; metadata: former_category INFO; classtype:bad-unknown; sid:2025131; rev:1; metadata:attack_target IoT, created_at 2017_12_05, updated_at 2017_12_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible MSXMLHTTP Request to Dotted Quad"; flow:to_server,established; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT"; http_user_agent; depth:45; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?/W"; http_accept; content:"*/*";depth:3; isdataat:!1,relative; http_accept_enc; content:"gzip, deflate"; depth:13; isdataat:!1,relative; http_start; content:"HTTP/1.1|0d 0a|Accept"; http_header_names; content:"|0d 0a|Accept|0d 0a|Accept-Encoding|0d 0a|User-Agent|0d 0a|"; depth:39; fast_pattern; content:!"|0d 0a|UA-CPU"; content:!"|0d 0a|Cookie"; content:!"|0d 0a|Referer"; content:!"|0d 0a|Accept-Language"; flowbits:set,et.MS.XMLHTTP.ip.request; flowbits:noalert; classtype:misc-activity; sid:2022054; rev:3; metadata:created_at 2015_11_09, updated_at 2015_11_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious Request for Doc to IP Address with Terse Headers"; flow:established,to_server; content:"GET"; http_method; content:".doc"; nocase; http_uri; isdataat:!1,relative; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/W"; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; isdataat:!1,relative; metadata: former_category INFO; classtype:bad-unknown; sid:2025162; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_12_21, updated_at 2017_12_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO PhishMe.com Phishing Landing Exercise"; flow:to_client,established; content:"200"; http_stat_code; content:"_phishme.com_session_id="; http_cookie; file_data; content:"|0d 0a||0d 0a|"; nocase; within:100; metadata: former_category INFO; classtype:bad-unknown; sid:2025267; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_01_30, updated_at 2018_01_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Windows OS Submitting USB Metadata to Microsoft"; flow:established,to_server; content:"POST"; http_method; content:"metadata.svc"; http_uri; isdataat:!1,relative; content:"/DeviceMetadataService/GetDeviceMetadata|22 0d 0a|"; http_header; content:"MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT"; http_user_agent; depth:42; isdataat:!1,relative; fast_pattern; metadata: former_category INFO; classtype:misc-activity; sid:2025275; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_01_31, performance_impact Low, updated_at 2018_01_31;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017"; flow:from_server,established; content:"200"; http_stat_code; content:"Content-Type|3a 20|text/html"; http_header; file_data; content:""; nocase; content:"|26 23|"; within:5; content:"|3b 26 23|"; fast_pattern; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:"|3b 26 23|"; within:6; content:""; nocase; distance:0; metadata: former_category INFO; classtype:trojan-activity; sid:2024228; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2017_04_19, updated_at 2017_04_19;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible MyEtherWallet Phishing Landing - SSL/TLS Certificate Observed"; flow:established,to_client; tls_cert_subject; content:"CN=xn--myeth"; depth:12; fast_pattern; metadata: former_category INFO; classtype:bad-unknown; sid:2025317; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_06, updated_at 2018_02_06;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible MyMonero Phishing Landing - SSL/TLS Certificate Observed"; flow:established,to_client; tls_cert_subject; content:"CN=xn--mymo"; depth:11; fast_pattern; metadata: former_category INFO; classtype:bad-unknown; sid:2025318; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_06, updated_at 2018_02_06;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Browser Plugin Detect - Observed in Phish Landings"; flow:established,to_client; file_data; content:"#browser_info"; content:"getBrowserMajorVersion()"; nocase; distance:0; fast_pattern; content:"#os_info"; nocase; distance:0; content:"getOSVersion()"; nocase; distance:0; content:"getScreenPrint()"; nocase; distance:0; content:"getPlugins()"; nocase; distance:0; content:"getJavaVersion()"; nocase; distance:0; content:"getFlashVersion()"; nocase; distance:0; content:"getSilverlightVersion()"; nocase; distance:0; metadata: former_category INFO; classtype:bad-unknown; sid:2025399; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_02_26, updated_at 2018_02_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Secondary Flash Request Seen (no alert)"; flow:established,to_server; http_referer; content:"/[[DYNAMIC]]/1"; fast_pattern; http_header_names; content:"x-flash-version"; flowbits:set,ET.SecondaryFlash.Req; flowbits:noalert; metadata: former_category INFO; classtype:trojan-activity; sid:2025411; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Sundown_EK, signature_severity Major, created_at 2018_03_09, updated_at 2018_03_09;) alert http any any -> any any (msg:"ET INFO Possible Sandvine PacketLogic Injection"; flow:established,from_server; id:13330; flags:AF; content:"HTTP/1.1 307 Temporary Redirect|0a|Location|3a 20|"; depth:42; fast_pattern; content:"Connection: close|0a 0a|"; distance:0; isdataat:!1,relative; metadata: former_category INFO; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/; classtype:misc-activity; sid:2025428; rev:1; metadata:attack_target Client_and_Server, deployment Datacenter, signature_severity Minor, created_at 2018_03_13, performance_impact Low, updated_at 2018_03_13;) alert dns $HOME_NET any -> any any (msg:"ET INFO Observed Free Hosting Domain (*.000webhostapp .com in DNS Lookup)"; dns_query; content:".000webhostapp.com"; nocase; isdataat:!1,relative; metadata: former_category INFO; classtype:not-suspicious; sid:2026657; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2018_03_16, performance_impact Moderate, updated_at 2018_11_27;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Observed SSL Cert for Free Hosting Domain (*.000webhostapp .com)"; flow:established,to_client; tls_cert_subject; content:"CN=*.000webhostapp.com"; nocase; isdataat:!1,relative; metadata: former_category INFO; classtype:not-suspicious; sid:2026658; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2018_03_16, performance_impact Low, updated_at 2018_11_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Suspicious User-Agent (CustomStringHere)"; flow:established,to_server; content:"CustomStringHere"; http_user_agent; metadata: former_category INFO; reference:md5,7a8cb1223e006bc7e70169c060d7057b; classtype:misc-activity; sid:2025436; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_19, updated_at 2018_03_19;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO NYU Internet HTTP/SSL Census Scan"; flow:to_server,established; content:"NYU Internet Census (https://scan.lol|3b 20|research@scan.lol)"; http_user_agent; metadata: former_category INFO; reference:url,scan.lol; classtype:network-scan; sid:2025460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, deployment Perimeter, signature_severity Minor, created_at 2018_04_03, updated_at 2018_04_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible EXE Download From Suspicious TLD (.men) - set"; flow:established,to_server; content:".men|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.men(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025495; rev:2; metadata:created_at 2018_04_16, updated_at 2018_04_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible EXE Download From Suspicious TLD (.webcam) - set"; flow:established,to_server; content:".webcam|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.webcam(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; metadata: former_category INFO; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025497; rev:2; metadata:created_at 2018_04_16, updated_at 2018_04_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible EXE Download From Suspicious TLD (.yokohama) - set"; flow:established,to_server; content:".yokohama|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.yokohama(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025498; rev:2; metadata:created_at 2018_04_16, updated_at 2018_04_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible EXE Download From Suspicious TLD (.tokyo) - set"; flow:established,to_server; content:".tokyo|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.tokyo(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025499; rev:2; metadata:created_at 2018_04_16, updated_at 2018_04_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible EXE Download From Suspicious TLD (.gq) - set"; flow:established,to_server; content:".gq|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.gq(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025500; rev:2; metadata:created_at 2018_04_16, updated_at 2018_04_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible EXE Download From Suspicious TLD (.work) - set"; flow:established,to_server; content:".work|0d 0a|"; http_header; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+\.work(?:\x3a\d{1,5})?\r?$/Hmi"; flowbits:set,ET.SuspExeTLDs; flowbits:noalert; reference:url,www.spamhaus.org/statistics/tlds/; classtype:misc-activity; sid:2025501; rev:2; metadata:created_at 2018_04_16, updated_at 2018_04_16;) alert tcp any any -> any 4786 (msg:"ET INFO Cisco Smart Install Protocol Observed"; flow:established,only_stream; content:"|00 00 00 01 00 00 00 01|"; depth:8; metadata: former_category INFO; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; classtype:misc-activity; sid:2025519; rev:1; metadata:attack_target Networking_Equipment, deployment Perimeter, deployment Internal, signature_severity Minor, created_at 2018_04_20, updated_at 2018_04_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possible Rogue LoJack Asset Tracking Agent"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"TagId|3a 20|"; http_header; fast_pattern; content:!".namequery.com|0d 0a|"; http_header; threshold: type limit, count 2, seconds 300, track by_src; metadata: former_category INFO; reference:url,asert.arbornetworks.com/lojack-becomes-a-double-agent/amp/; classtype:misc-attack; sid:2025553; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_05_02, updated_at 2018_05_02;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:6; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:10; metadata:created_at 2010_09_25, updated_at 2010_09_25;) alert dns $HOME_NET any -> any any (msg:"ET INFO Observed DNS Query to .myq-see .com DDNS Domain"; dns_query; content:".myq-see.com"; nocase; isdataat:!1,relative; metadata: former_category INFO; classtype:policy-violation; sid:2025560; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_05_07, performance_impact Moderate, updated_at 2018_05_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO [eSentire] Possible Kali Linux Updates"; flow:established,to_server; content:"GET"; http_method; content:"APT-HTTP|2f|"; http_user_agent; content:"kali.org"; http_host; fast_pattern; pcre:"/^[a-z0-9.]+\.kali\.org/W"; metadata: former_category INFO; classtype:trojan-activity; sid:2025627; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_25, updated_at 2018_06_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe PDX in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDX-"; within:5; flowbits:set,ET.pdx.in.http; flowbits:noalert; metadata: former_category INFO; classtype:not-suspicious; sid:2025985; rev:2; metadata:affected_product Adobe_Reader, deployment Perimeter, signature_severity Audit, created_at 2018_08_10, performance_impact Low, updated_at 2018_08_10;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Adobe Flash Uncompressed in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"FWS"; within:3; flowbits:set,HTTP.UncompressedFlash; flowbits:noalert; metadata: former_category INFO; classtype:not-suspicious; sid:2016394; rev:7; metadata:deployment Perimeter, signature_severity Audit, created_at 2013_02_08, performance_impact Low, updated_at 2018_08_10;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO MP3 with ID3 in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"ID3"; within:3; content:"|FB FF|"; distance:0; flowbits:set,ET.mp3.in.http; flowbits:noalert; metadata: former_category INFO; classtype:not-suspicious; sid:2025986; rev:1; metadata:affected_product Adobe_Flash, deployment Perimeter, signature_severity Audit, created_at 2018_08_10, performance_impact Low, updated_at 2018_08_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO AutoIt User Agent Downloading EXE"; flow:established,to_server; content:"GET"; http_method; content:".exe"; nocase; http_uri; isdataat:!1,relative; content:"AutoIt"; http_user_agent; depth:6; isdataat:!1,relative; fast_pattern; http_header_names; content:!"Referer"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2019935; rev:4; metadata:deployment Perimeter, tag AutoIt, signature_severity Audit, created_at 2014_12_15, performance_impact Low, updated_at 2018_08_14;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_Fan WMI)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|win32_fan"; fast_pattern; nocase; metadata: former_category INFO; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026074; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag PowerShell, tag Enumeration, tag Anti_VM, signature_severity Major, created_at 2018_09_05, performance_impact Low, updated_at 2018_09_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (MSAcpi_ThermalZoneTemperature WMI)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|MSAcpi_ThermalZoneTemperature"; fast_pattern; nocase; metadata: former_category INFO; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026075; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag PowerShell, tag Enumeration, tag Anti_VM, signature_severity Major, created_at 2018_09_05, performance_impact Low, updated_at 2018_09_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_PointingDevice WMI)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_PointingDevice"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; metadata: former_category INFO; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026076; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag PowerShell, tag Enumeration, tag Anti_VM, signature_severity Major, created_at 2018_09_05, performance_impact Low, updated_at 2018_09_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_DiskDevice WMI)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_DiskDevice"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; metadata: former_category INFO; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026077; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag PowerShell, tag Enumeration, tag Anti_VM, signature_severity Major, created_at 2018_09_05, performance_impact Low, updated_at 2018_09_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Inbound PowerShell Checking for Virtual Host (Win32_BaseBoard WMI)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"Get-WmiObject -Query"; nocase; content:"Select|20|*|20|from|20|Win32_BaseBoard"; fast_pattern; nocase; content:"-contains|20|"; pcre:"/^\x22(?:v(mware|irtual|irtualbox|m\x20ware|box))/Rsi"; metadata: former_category INFO; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/; classtype:trojan-activity; sid:2026078; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag PowerShell, tag Enumeration, tag Anti_VM, signature_severity Major, created_at 2018_09_05, performance_impact Low, updated_at 2018_09_05;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (AntiVirusProduct)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|AntiVirusProduct"; distance:0; fast_pattern; nocase; threshold:type limit, count 1, seconds 60, track by_src; metadata: former_category INFO; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026413; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag VBS, tag Enumeration, signature_severity Major, created_at 2018_09_26, performance_impact Low, updated_at 2018_09_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (AntiSpywareProduct)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|AntiSpywareProduct"; distance:0; fast_pattern; nocase; threshold:type limit, count 1, seconds 60, track by_src; metadata: former_category INFO; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026414; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag VBS, tag Enumeration, signature_severity Major, created_at 2018_09_26, performance_impact Low, updated_at 2018_09_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possible System Enumeration via WMI Queries (FirewallProduct)"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"On|20|Error|20|Resume|20|Next|0d 0a|"; depth:25; content:"SELECT|20 2a 20|FROM|20|FirewallProduct"; distance:0; fast_pattern; nocase; threshold:type limit, count 1, seconds 60, track by_src; metadata: former_category INFO; reference:md5,11f792cc617cf5c08603d4da829a1fa9; classtype:policy-violation; sid:2026415; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag VBS, tag Enumeration, signature_severity Major, created_at 2018_09_26, performance_impact Low, updated_at 2018_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Generic 000webhostapp.com POST 2018-09-27 (set)"; flow:to_server,established; content:"POST"; http_method; content:".000webhostapp.com"; http_host; isdataat:!1,relative; fast_pattern; flowbits:set,ET.000webhostpost; flowbits:noalert; metadata: former_category INFO; classtype:trojan-activity; sid:2026420; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_09_27, updated_at 2018_09_27;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Possibly Malicious VBS Writing to Persistence Registry Location"; flow:established,from_server; content:"200"; http_stat_code; file_data; content:"on|20|error|20|resume|20|next"; nocase; content:".regwrite|20 22|"; distance:0; content:"|5c|software|5c|microsoft|5c|windows|5c|currentversion|5c|run"; distance:0; within:80; fast_pattern; metadata: former_category INFO; reference:md5,cac1aedbcb417dcba511db5caae4b8c0; classtype:trojan-activity; sid:2026427; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, tag VBS, tag Persistence, signature_severity Major, created_at 2018_09_28, performance_impact Low, updated_at 2018_09_28;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO JAR Containing Executable Downloaded"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:".exe"; fast_pattern; nocase; metadata: former_category CURRENT_EVENTS; classtype:trojan-activity; sid:2016379; rev:6; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag DriveBy, signature_severity Major, created_at 2013_02_08, updated_at 2018_10_09;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Suspicious Redirect to Download EXE from Bitbucket"; flow:established,to_client; content:"302"; http_stat_code; content:"Location|3a 20|https://bitbucket.org"; http_header; content:".exe|0d 0a|"; http_header; distance:0; metadata: former_category INFO; classtype:bad-unknown; sid:2026515; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_10_17, updated_at 2018_10_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO GET to Puu.sh for TXT File with Minimal Headers"; flow:to_server,established; content:"GET"; http_method; content:".txt"; http_uri; nocase; isdataat:!1,relative; content:"puu.sh"; http_host; depth:6; isdataat:!1,relative; fast_pattern; http_header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; depth:22; isdataat:!1,relative; metadata: former_category INFO; classtype:bad-unknown; sid:2026569; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_11_02, updated_at 2018_11_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Possibly Suspicious Request for Putty.exe from Non-Standard Download Location"; flow:to_server,established; content:"GET"; http_method; content:"/putty.exe"; http_uri; nocase; isdataat:!1,relative; content:!"the.earth.li"; http_host; metadata: former_category INFO; classtype:bad-unknown; sid:2026570; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_11_02, updated_at 2018_11_02;) alert tcp $HOME_NET any -> any 22 (msg:"ET INFO Plaintext SSH Authentication Identified (Encryption set to None)"; flow:established,to_server; content:"|00 00 00|"; content:"|00 00 00|"; distance:0; within:50; content:"|0e|ssh-connection|00 00 00 08|password|00 00 00 00|"; distance:0; within:31; content:"|00 00 00 00 00 00 00 00 00|"; distance:0; metadata: former_category INFO; reference:url,hamwan.org/Standards/Network%20Engineering/Authentication/SSH%20Without%20Encryption.html; classtype:attempted-user; sid:2026643; rev:2; metadata:attack_target Client_and_Server, deployment Perimeter, deployment Internal, signature_severity Major, created_at 2018_11_21, performance_impact Low, updated_at 2018_11_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Minimal HTTP GET Request to Bit.ly"; flow:established,to_server; content:"GET"; http_method; http_start; content:"HTTP/1.1|0d 0a|Host|3a 20|bit.ly|0d 0a|Connection|3a 20|Keep-Alive|0d 0a 0d 0a|"; isdataat:!1,relative; fast_pattern; metadata: former_category INFO; classtype:bad-unknown; sid:2026674; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_11_29, updated_at 2018_11_29;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M2"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0A|"; depth:28; fast_pattern; byte_test:1,!=,0x4D,0,relative; metadata: former_category INFO; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026684; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Audit, created_at 2018_12_04, performance_impact Moderate, updated_at 2018_12_04;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Certificate with Unknown Content M1"; flow:established,to_client; file_data; content:"-----BEGIN CERTIFICATE-----|0D 0A|"; depth:29; fast_pattern; byte_test:1,!=,0x4D,0,relative; metadata: former_category INFO; reference:url,blog.nviso.be/2018/07/31/powershell-inside-a-certificate-part-1/; classtype:misc-activity; sid:2026649; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_11_26, performance_impact Moderate, updated_at 2018_11_26;) # Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced. alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; classtype:trojan-activity; sid:2008402; rev:3; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; classtype:trojan-activity; sid:2002003; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; classtype:trojan-activity; sid:2002048; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; classtype:trojan-activity; sid:2002099; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; classtype:trojan-activity; sid:2002354; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Actionlibs Download"; flow:to_server,established; uricontent:"/actionurls/ActionUrlb"; nocase; uricontent:"partnerid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; classtype:trojan-activity; sid:2003057; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; uricontent:"/ZangoTBInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; classtype:trojan-activity; sid:2003059; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; uricontent:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; classtype:trojan-activity; sid:2003060; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; uricontent:"/php/uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; classtype:trojan-activity; sid:2003061; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; classtype:trojan-activity; sid:2003610; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; classtype:trojan-activity; sid:2001447; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 51yes.com Spyware Reporting User Activity"; flow:established,to_server; uricontent:"/sa.aspx?id="; nocase; uricontent:"&refe=http"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; classtype:trojan-activity; sid:2003620; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV"; nocase; uricontent:"?ID={"; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; classtype:trojan-activity; sid:2001730; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; uricontent:"keywords/kyf"; nocase; content:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; classtype:trojan-activity; sid:2002001; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; classtype:misc-attack; sid:2000514; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; classtype:policy-violation; sid:2001563; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET MALWARE Abox Download"; flow:established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset:160; depth:26; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; classtype:trojan-activity; sid:2001440; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; content:"/trackedevent.aspx?"; nocase; http_uri; content:"ver="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&rnd="; http_uri; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; classtype:trojan-activity; sid:2003306; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE Lookup of Malware Domain twothousands.cm Likely Infection"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|twothousands|02|cm"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012176; rev:1; metadata:created_at 2011_01_12, updated_at 2011_01_12;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mozilla 3.0 and Indy Library User-Agent Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; classtype:trojan-activity; sid:2012536; rev:3; metadata:created_at 2011_03_22, updated_at 2011_03_22;) #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Unknown Malware PUTLINK Command Message"; flow:established,from_server; content:"CMD PUTLINK http|3A|//"; nocase; content:"Inject|3A|"; nocase; distance:0; classtype:trojan-activity; sid:2012615; rev:2; metadata:created_at 2011_03_31, updated_at 2011_03_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE overtls.com adware request"; flow:to_server,established; content:"/sidebar.asp?bn=0&qy="; http_uri; content:"EmbeddedWB"; http_header; classtype:trojan-activity; sid:2012693; rev:3; metadata:created_at 2011_04_19, updated_at 2011_04_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent (GabPath)"; flow:to_server,established; content:"User-Agent|3a| GabPath"; http_header; classtype:trojan-activity; sid:2011293; rev:7; metadata:created_at 2010_09_28, updated_at 2010_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RogueAntiSpyware.AntiVirusPro Checkin"; flow:established,to_server; content:"php?type=stats&affid="; http_uri; content:"&subid="; http_uri; content:"&version="; http_uri; content:"&adwareok"; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; classtype:trojan-activity; sid:2013149; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidetab or Related Trojan Checkin"; flow:established,to_server; content:"/install.asp?"; http_uri; content:"version="; http_uri; content:"&id="; http_uri; content:"&mac="; http_uri; content:".co.kr|0d 0a|"; http_header; classtype:trojan-activity; sid:2013182; rev:1; metadata:created_at 2011_07_04, updated_at 2011_07_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Unknown Malware patchlist.xml Request"; flow:established,to_server; content:"/update/patchlist.xml"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2013200; rev:2; metadata:created_at 2011_07_05, updated_at 2011_07_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SweetIM Install in Progress"; flow:established,to_server; content:"/download/install/silent/SSweetIMSetup.CIS"; nocase; http_uri; classtype:trojan-activity; sid:2013243; rev:2; metadata:created_at 2011_07_11, updated_at 2011_07_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:trojan-activity; sid:2013389; rev:2; metadata:created_at 2011_08_10, updated_at 2011_08_10;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfSideKick Activity (iinfo)"; flow:established,to_server; content:"/iinfo.htm?host="; http_uri; content:"&action=update"; http_uri; content:"&ver="; http_uri; content:"&bundle="; http_uri; content:"&client="; http_uri; content:"&bp_id="; http_uri; content:"&prmerr="; http_uri; content:"&ir="; http_uri; classtype:trojan-activity; sid:2013448; rev:6; metadata:created_at 2011_08_22, updated_at 2011_08_22;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:bad-unknown; sid:2013658; rev:2; metadata:created_at 2011_09_15, updated_at 2011_09_15;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware/Helpexpress User Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013729; rev:2; metadata:created_at 2011_09_30, updated_at 2011_09_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def)"; flow:established,to_server; content:"User-Agent|3A 20|ic Windows NT 5.1 MSIE 6.0 Firefox/ Def"; http_header; classtype:trojan-activity; sid:2013999; rev:2; metadata:created_at 2011_12_08, updated_at 2011_12_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 404Search Spyware User-Agent (404search)"; flow:established,to_server; content:"User-Agent|3a| 404search"; http_header; reference:url,doc.emergingthreats.net/2001852; classtype:trojan-activity; sid:2001852; rev:28; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adload.Generic Spyware User-Agent (91castInstallKernel)"; flow:to_server,established; content:"User-Agent|3a| 91cast"; nocase; http_header; reference:url,doc.emergingthreats.net/2003640; classtype:trojan-activity; sid:2003640; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pigeon.AYX/AVKill Related User-Agent (CTTBasic)"; flow:established,to_server; content:"User-Agent|3a| CTT"; http_header; reference:url,doc.emergingthreats.net/2009236; classtype:trojan-activity; sid:2009236; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adwave.com Related Spyware User-Agent (STBHOGet)"; flow:to_server,established; content:"User-Agent|3a| STBHOGet|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003500; classtype:trojan-activity; sid:2003500; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alawar Toolbar Spyware User-Agent (Alawar Toolbar)"; flow:to_server,established; content:"User-Agent|3a| Alawar Toolbar"; nocase; http_header; reference:url,www.bleepingcomputer.com/uninstall/68/Alawar-Toolbar.html; reference:url,doc.emergingthreats.net/2003506; classtype:trojan-activity; sid:2003506; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antivermins.com Spyware/Adware User-Agent (AntiVermeans)"; flow:to_server,established; content:"User-Agent|3a| AntiVermeans"; nocase; http_header; reference:url,www.bleepingcomputer.com/forums/topic69886.htm; reference:url,doc.emergingthreats.net/2003531; classtype:trojan-activity; sid:2003531; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser)"; flow:to_server,established; content:"User-Agent|3a|"; nocase; http_header; content:"AntiVerminser"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003336; classtype:trojan-activity; sid:2003336; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Better Internet Spyware User-Agent (thnall)"; flow: to_server,established; content:"THNALL"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+THNALL[^\n]+\.EXE/iH"; reference:url,doc.emergingthreats.net/2002002; classtype:trojan-activity; sid:2002002; rev:30; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoolWebSearch Spyware User-Agent (iefeatsl)"; flow:to_server,established; content:"User-Agent|3a| iefeatsl"; nocase; http_header; reference:url,www.applicationsignatures.com/backend/index.php; reference:url,doc.emergingthreats.net/2003570; classtype:trojan-activity; sid:2003570; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE chnsystem.com Spyware User-Agent (Update1.0)"; flow:established,to_server; content:"User-Agent|3a| Update1.0"; http_header; reference:url,doc.emergingthreats.net/2010680; classtype:trojan-activity; sid:2010680; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Surfaccuracy.com Spyware Install User-Agent (SF Installer)"; flow:to_server,established; content:"SF Installer"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003428; classtype:trojan-activity; sid:2003428; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE xxxtoolbar.com Spyware Install User-Agent"; flow:to_server,established; content:"User-Agent|3a 32 8b 86 85 86 8e 85 86 8c 0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003429; classtype:trojan-activity; sid:2003429; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CommonName.com Spyware/Adware User-Agent (CommonName Agent)"; flow:to_server,established; content:"User-Agent|3a| CommonName"; nocase; http_header; reference:url,www.pestpatrol.com/spywarecenter/pest.aspx?id=453078618; reference:url,doc.emergingthreats.net/2003532; classtype:trojan-activity; sid:2003532; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Context Plus User-Agent (PTS)"; flow: to_server,established; content:"User-Agent|3a| PTS"; http_header; reference:url,www.contextplus.net; reference:url,doc.emergingthreats.net/2002403; classtype:trojan-activity; sid:2002403; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cpushpop.com Spyware User-Agent (CPUSH_UPDATER)"; flow:established,to_server; content:"User-Agent|3a| CPUSH_"; http_header; reference:url,doc.emergingthreats.net/2006553; classtype:trojan-activity; sid:2006553; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (CustomSpy)"; flow:to_server,established; content:"User-Agent|3a| |28|CustomSpy|29 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011271; classtype:trojan-activity; sid:2011271; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deepdo Toolbar User-Agent (FavUpdate)"; flow:established,to_server; content:"User-Agent|3a| FavUpdate"; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Deepdo%20Toolbar&threatid=129378; reference:url,doc.emergingthreats.net/2008457; classtype:trojan-activity; sid:2008457; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate)"; flow:established,to_server; content:"User-Agent|3a| DeepdoUpdate/"; nocase; http_header; reference:url,doc.emergingthreats.net/2006386; classtype:trojan-activity; sid:2006386; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EELoader Malware Packages User-Agent (EELoader)"; flow:to_server,established; content:"User-Agent|3a| EELoader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003613; classtype:trojan-activity; sid:2003613; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ezula Related User-Agent (mez)"; flow: to_server,established; content:"User-Agent|3a| mez|0d 0a|"; nocase; http_header; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/2000586; classtype:trojan-activity; sid:2000586; rev:32; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ErrorNuker FakeAV User-Agent (ERRN2004 (Windows XP))"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| ERRN200"; http_header; reference:url,doc.emergingthreats.net/2009861; classtype:trojan-activity; sid:2009861; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER)"; flow:to_server,established; content:"User-Agent|3a| EVNUKER"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:trojan-activity; sid:2003569; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (FaceCooker)"; flow:to_server,established; content:"User-Agent|3a| FaceCooker"; nocase; http_header; reference:url,doc.emergingthreats.net/2010717; classtype:trojan-activity; sid:2010717; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus)"; flow:established,to_server; content:"User-Agent|3a| Update Internet Antivirus"; http_header; reference:url,doc.emergingthreats.net/2008647; classtype:trojan-activity; sid:2008647; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE malwarewipeupdate.com Spyware User-Agent (MalwareWipe)"; flow:to_server,established; content:"User-Agent|3a| MalwareWipe|0d 0a|"; nocase; http_header; reference:url,www.malwarewipeupdate.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MalwareWipe&threatid=43086; reference:url,doc.emergingthreats.net/2003489; classtype:trojan-activity; sid:2003489; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virusblast.com Fake AV/Anti-Spyware User-Agent (ad-protect)"; flow:to_server,established; content:"User-Agent|3a| ad-protect"; nocase; http_header; reference:url,spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.virusblast.com; reference:url,doc.emergingthreats.net/2003476; classtype:trojan-activity; sid:2003476; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Terminexor.com Spyware User-Agent (DInstaller2)"; flow:to_server,established; content:"User-Agent|3a| DInstaller"; nocase; http_header; reference:url,www.terminexor.com; reference:url,netrn.net/spywareblog/archives/2004/12/23/more-rip-off-ware-terminexor; reference:url,doc.emergingthreats.net/2003477; classtype:trojan-activity; sid:2003477; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Errornuker.com Fake Anti-Spyware User-Agent (ERRORNUKER)"; flow:to_server,established; content:"User-Agent|3a| ERRORNUKER"; nocase; http_header; reference:url,www.spywarewarrior.com/rogue_anti-spyware.htm; reference:url,www.errornuker.com; reference:url,doc.emergingthreats.net/2003478; classtype:trojan-activity; sid:2003478; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Cleancop.co.kr Fake AV User-Agent (CleancopUpdate)"; flow:established,to_server; content:"User-Agent|3a| Cleancop"; http_header; reference:url,doc.emergingthreats.net/2008484; classtype:trojan-activity; sid:2008484; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchtool.co.kr Fake Product User-Agent (searchtoolup)"; flow:established,to_server; content:"User-Agent|3a| searchtool"; http_header; reference:url,doc.emergingthreats.net/2008485; classtype:trojan-activity; sid:2008485; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AntiSpywareMaster.com Fake AV User-Agent (AsmUpdater)"; flow:to_server,established; content:"User-Agent|3a| AsmUpdater"; http_header; reference:url,doc.emergingthreats.net/2008294; classtype:trojan-activity; sid:2008294; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dokterfix.com Fake AV User-Agent (Magic NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Magic NetInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007977; classtype:trojan-activity; sid:2007977; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader)"; flow:established,to_server; content:"User-Agent|3a| IM Downloader|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2008000; classtype:trojan-activity; sid:2008000; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mycomclean.com Spyware User-Agent (HTTP_GET_COMM)"; flow:to_server,established; content:"User-Agent|3a| HTTP_GET_COMM|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007881; classtype:trojan-activity; sid:2007881; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mycomclean.com Spyware User-Agent (SHINI)"; flow:to_server,established; content:"User-Agent|3a| SHINI|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007882; classtype:trojan-activity; sid:2007882; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virusheat.com Fake Anti-Spyware User-Agent (VirusHeat 4.3)"; flow:to_server,established; content:"User-Agent|3a| VirusHeat"; http_header; reference:url,doc.emergingthreats.net/2007883; classtype:trojan-activity; sid:2007883; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download)"; flow:established,to_server; content:"User-Agent|3a| IM Download|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007759; classtype:trojan-activity; sid:2007759; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Drpcclean.com Related Spyware User-Agent (DrPCClean Transmit)"; flow:to_server,established; content:"User-Agent|3a| DrPCClean"; http_header; reference:url,doc.emergingthreats.net/2007839; classtype:trojan-activity; sid:2007839; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1)"; flow:established,to_server; content:"User-Agent|3a| IEDefender "; nocase; http_header; reference:url,doc.emergingthreats.net/2007690; classtype:trojan-activity; sid:2007690; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winxpperformance.com Related Spyware User-Agent (Microsoft Internet Browser)"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Browser|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2007660; classtype:trojan-activity; sid:2007660; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VirusProtectPro Spyware User-Agent (VirusProtectPro)"; flow:established,to_server; content:"User-Agent|3a| VirusProtectPro"; http_header; reference:url,doc.emergingthreats.net/2007617; classtype:trojan-activity; sid:2007617; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ufixer.com Fake Antispyware User-Agent (Ultimate Fixer)"; flow: established,to_server; content:"User-Agent|3a| Ultimate Fixer"; nocase; http_header; reference:url,doc.emergingthreats.net/2007645; classtype:trojan-activity; sid:2007645; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vikiller.com Fake Antispyware User-Agent (vikiller ctrl...)"; flow: established,to_server; content:"User-Agent|3a| vikiller ctrl"; nocase; http_header; reference:url,doc.emergingthreats.net/2007582; classtype:trojan-activity; sid:2007582; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Fast Browser Search)"; flow:to_server,established; content:"User-Agent|3a| Fast Browser Search"; nocase; http_header; reference:url,doc.emergingthreats.net/2010676; classtype:trojan-activity; sid:2010676; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Hostile User-Agent (Forthgoer)"; flow:to_server,established; content:"User-Agent|3a| Forthgoer"; http_header; reference:url,doc.emergingthreats.net/2011247; classtype:trojan-activity; sid:2011247; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Freeze.com Spyware User-Agent (YourScreen123)"; flow:to_server,established; content:"User-Agent|3a| YourScreen"; http_header; reference:url,doc.emergingthreats.net/2003405; classtype:trojan-activity; sid:2003405; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamehouse.com Related Spyware User-Agent (Sprout Game)"; flow:to_server,established; content:"User-Agent|3a| Sprout Game|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003498; classtype:trojan-activity; sid:2003498; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adsincontext.com Related Spyware User-Agent (Connector v1.2)"; flow: established; content:"User-Agent|3a| Connector v"; http_header; reference:url,doc.emergingthreats.net/2008372; classtype:trojan-activity; sid:2008372; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Coolstreaming"; nocase; http_header; reference:url,doc.emergingthreats.net/2003652; classtype:trojan-activity; sid:2003652; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Debelizombi.com Spyware User-Agent (blahrx)"; flow:established,to_server; content:"User-Agent|3a| blahrx"; http_header; reference:url,doc.emergingthreats.net/2006778; classtype:trojan-activity; sid:2006778; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Effectivebrands.com Spyware User-Agent (atsu)"; flow:to_server,established; content:"User-Agent|3a| atsu|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006370; classtype:trojan-activity; sid:2006370; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Effectivebrands.com Spyware User-Agent (GTBank)"; flow:to_server,established; content:"User-Agent|3a| GTBank"; nocase; http_header; reference:url,doc.emergingthreats.net/2003654; classtype:trojan-activity; sid:2003654; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirage.ru Related Spyware User-Agent (szNotifyIdent)"; flow:established,to_server; content:"User-Agent|3a| szNotifyIdent"; http_header; reference:url,doc.emergingthreats.net/2006782; classtype:trojan-activity; sid:2006782; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Popads123.com Related Spyware User-Agent (LmaokaazLdr)"; flow:established,to_server; content:"User-Agent|3a| LmaokaazLdr"; nocase; http_header; reference:url,doc.emergingthreats.net/2007694; classtype:trojan-activity; sid:2007694; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trafficadvance.net Spyware User-Agent (Internet 1.0)"; flow:to_server,established; content:"User-Agent|3a| Internet 1."; nocase; http_header; reference:url,doc.emergingthreats.net/2003655; classtype:trojan-activity; sid:2003655; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zredirector.com Related Spyware User-Agent (BndDriveLoader)"; flow:established,to_server; content:"User-Agent|3a| BndDriveLoader"; nocase; http_header; reference:url,doc.emergingthreats.net/2007693; classtype:trojan-activity; sid:2007693; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.Win32.InternetAntivirus User-Agent (General Antivirus)"; flow:to_server,established; content:"User-Agent|3a| General Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010679; classtype:trojan-activity; sid:2010679; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044)"; flow:established,to_server; content:"User-Agent|3a| UbrenQuatroRusDldr"; http_header; reference:url,doc.emergingthreats.net/2008202; classtype:trojan-activity; sid:2008202; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr)"; flow:established,to_server; content:"User-Agent|3a| BndVeano4GetDownldr"; http_header; reference:url,doc.emergingthreats.net/2008203; classtype:trojan-activity; sid:2008203; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update)"; flow:to_server,established; content:"User-Agent|3a| fs3update|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007935; classtype:trojan-activity; sid:2007935; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager)"; flow:to_server,established; content:"User-Agent|3a| fian3manager|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007938; classtype:trojan-activity; sid:2007938; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Qcbar/Adultlinks Spyware User-Agent (IBSBand)"; flow:to_server,established; content:"User-Agent|3a| IBSBand-"; http_header; reference:url,doc.emergingthreats.net/2006362; classtype:trojan-activity; sid:2006362; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE YourSiteBar User-Agent (istsvc)"; flow: to_server,established; content:"User-Agent|3a| istsvc|0d 0a|"; nocase; http_header; reference:url,www.ysbweb.com; reference:url,doc.emergingthreats.net/2001699; classtype:trojan-activity; sid:2001699; rev:261; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (InTeRNeT)"; flow:to_server,established; content:"User-Agent|3a| |5f|InTeRNeT"; http_header; reference:url,doc.emergingthreats.net/2011127; classtype:trojan-activity; sid:2011127; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Infobox3 Spyware User-Agent (InfoBox)"; flow:established,to_server; content:"User-Agent|3a| InfoBox"; http_header; reference:url,doc.emergingthreats.net/2010934; classtype:trojan-activity; sid:2010934; rev:5; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Movies-etc User-Agent (IOInstall)"; flow: to_server,established; content:"User-Agent|3a| IOInstall"; nocase; http_header; reference:url,www.movies-etc.com; reference:url,doc.emergingthreats.net/2002404; classtype:trojan-activity; sid:2002404; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet-optimizer.com Related Spyware User-Agent (SexTrackerWSI)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| SexTrackerWSI"; nocase; http_header; reference:url,doc.emergingthreats.net/2003627; classtype:trojan-activity; sid:2003627; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/InternetAntivirus User-Agent (Internet Antivirus Pro)"; flow:to_server,established; content:"User-Agent|3a| Internet Antivirus"; nocase; http_header; reference:url,doc.emergingthreats.net/2010218; classtype:trojan-activity; sid:2010218; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE dns-look-up.com Spyware User-Agent (KRSystem)"; flow:to_server,established; content:"User-Agent|3a| KRSystem"; nocase; http_header; reference:url,doc.emergingthreats.net/2003625; classtype:trojan-activity; sid:2003625; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE No-ad.co.kr Fake AV Related User-Agent (U2Clean)"; flow: established,to_server; content:"User-Agent|3a| U2Clean"; http_header; reference:url,doc.emergingthreats.net/2009289; classtype:trojan-activity; sid:2009289; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Viruskill.co.kr Fake AV User-Agent Detected (virus_kill)"; flow:to_server,established; content:"User-Agent|3a| virus_kill"; http_header; reference:url,doc.emergingthreats.net/2009150; classtype:trojan-activity; sid:2009150; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake AV User-Agent (N1)"; flow:to_server,established; content:"User-Agent|3a| N1|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009157; classtype:trojan-activity; sid:2009157; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Viruscheck.co.kr Fake Antispyware User-Agent (viruscheck)"; flow: established,to_server; content:"User-Agent|3a| viruscheck"; nocase; http_header; reference:url,doc.emergingthreats.net/2007643; classtype:trojan-activity; sid:2007643; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mycashbank.co.kr Spyware User-Agent (pint_agency)"; flow:established,to_server; content:"User-Agent|3a| pint_agency"; http_header; reference:url,doc.emergingthreats.net/2006413; classtype:trojan-activity; sid:2006413; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Platinumreward.co.kr Spyware User-Agent (WT_GET_COMM)"; flow:established,to_server; content:"User-Agent|3a| WT_GET_COMM"; http_header; reference:url,doc.emergingthreats.net/2006422; classtype:trojan-activity; sid:2006422; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vaccineprogram.co.kr Related Spyware User-Agent (anycleaner)"; flow:established,to_server; content:"User-Agent|3a| anycleaner"; http_header; reference:url,doc.emergingthreats.net/2006419; classtype:trojan-activity; sid:2006419; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Doctorvaccine.co.kr Related Spyware User-Agent (DoctorVaccine)"; flow:established,to_server; content:"User-Agent|3a| DoctorVaccine"; http_header; reference:url,doc.emergingthreats.net/2006421; classtype:trojan-activity; sid:2006421; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Doctorvaccine.co.kr Related Spyware-User Agent (ers)"; flow:established,to_server; content:"User-Agent|3a| ers|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007809; classtype:trojan-activity; sid:2007809; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Doctorpro.co.kr Related Spyware User-Agent (doctorpro1)"; flow:established,to_server; content:"User-Agent|3a| doctorpro"; http_header; reference:url,doc.emergingthreats.net/2006423; classtype:trojan-activity; sid:2006423; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karine.co.kr Related Spyware User Agent (chk Profile)"; flow:established,to_server; content:"User-Agent|3a| chk Profile|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006429; classtype:trojan-activity; sid:2006429; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Karine.co.kr Related Spyware User-Agent (Access down)"; flow:established,to_server; content:"User-Agent|3a| Access down|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2006430; classtype:trojan-activity; sid:2006430; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus)"; flow:to_server,established; content:"User-Agent|3a| PCClear"; http_header; reference:url,www.pcclear.com; reference:url,www.pcclear.co.kr; reference:url,doc.emergingthreats.net/2008198; classtype:trojan-activity; sid:2008198; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE yeps.co.kr Related User-Agent (ISecu)"; flow:established,to_server; content:"User-Agent|3a| ISecu"; http_header; reference:url,doc.emergingthreats.net/2008204; classtype:trojan-activity; sid:2008204; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Nguide.co.kr Fake Security Tool User-Agent (nguideup)"; flow:to_server,established; content:"User-Agent|3a| nguideup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007947; classtype:trojan-activity; sid:2007947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Msconfig.co.kr Related User Agent (BACKMAN)"; flow:to_server,established; content:"User-Agent|3a| BACKMAN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007958; classtype:trojan-activity; sid:2007958; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Msconfig.co.kr Related User-Agent (GLOBALx)"; flow:to_server,established; content:"User-Agent|3a| GLOBAL"; http_header; reference:url,doc.emergingthreats.net/2007959; classtype:trojan-activity; sid:2007959; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kpang.com Spyware User-Agent (auctionplusup)"; flow:to_server,established; content:"User-Agent|3a| auctionplusup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007900; classtype:trojan-activity; sid:2007900; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPGETDATA)"; flow:to_server,established; content:"User-Agent|3a| HTTPGETDATA|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007908; classtype:trojan-activity; sid:2007908; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTPFILEDOWN)"; flow:to_server,established; content:"User-Agent|3a| HTTPFILEDOWN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007909; classtype:trojan-activity; sid:2007909; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchspy.co.kr Spyware User-Agent (HTTP_FILEDOWN)"; flow:to_server,established; content:"User-Agent|3a| HTTP_FILEDOWN|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007910; classtype:trojan-activity; sid:2007910; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Donkeyhote.co.kr Spyware User-Agent (UDonkey)"; flow:to_server,established; content:"User-Agent|3a| UDonkey|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007927; classtype:trojan-activity; sid:2007927; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gcashback.co.kr Spyware User-Agent (InvokeAd)"; flow:to_server,established; content:"User-Agent|3a| InvokeAd|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007928; classtype:trojan-activity; sid:2007928; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Live Enterprise Suite)"; flow:to_server,established; content:"User-Agent|3a| Live Enterprise Suite"; nocase; http_header; reference:url,doc.emergingthreats.net/2010727; classtype:trojan-activity; sid:2010727; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewWeb User-Agent (Lobo Lunar)"; flow: established,to_server; content:"User-Agent|3a| Lobo Lunar"; http_header; reference:url,doc.emergingthreats.net/2009222; classtype:trojan-activity; sid:2009222; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MalwareWiped.com Spyware User-Agent (MalwareWiped)"; flow:to_server,established; content:"User-Agent|3a| MalwareWiped"; nocase; http_header; reference:url,doc.emergingthreats.net/2003582; classtype:trojan-activity; sid:2003582; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adwave/MarketScore User-Agent (WTA)"; flow: to_server,established; content:"User-Agent|3a| WTA_"; http_header; reference:url,www.adwave.com/our_mission.aspx; reference:url,www.marketscore.com; reference:url,doc.emergingthreats.net/2002394; classtype:trojan-activity; sid:2002394; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mirar_Toolbar)"; flow:to_server,established; content:"User-Agent|3a| Mirar_Toolbar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003929; classtype:trojan-activity; sid:2003929; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirar Spyware User-Agent (Mirar_KeywordContent)"; flow:to_server,established; content:"User-Agent|3a| Mirar_KeywordContent|0d 0a|"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078818; reference:url,doc.emergingthreats.net/2003490; classtype:trojan-activity; sid:2003490; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miva User-Agent (TPSystem)"; flow: to_server,established; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.miva.com; reference:url,www.findwhat.com; reference:url,doc.emergingthreats.net/2002395; classtype:trojan-activity; sid:2002395; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Miva Spyware User-Agent (Travel Update)"; flow: to_server,established; content:"User-Agent|3a| Travel Update|0d 0a|"; http_header; reference:url,www.miva.com; reference:url,doc.emergingthreats.net/2002396; classtype:trojan-activity; sid:2002396; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Msgplus.net Spyware/Adware User-Agent (MsgPlus3)"; flow:to_server,established; content:"User-Agent|3a| MsgPlus3"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Messenger%20Plus!&threatid=14931; reference:url,doc.emergingthreats.net/2003529; classtype:trojan-activity; sid:2003529; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE searchenginebar.com Spyware User-Agent (RX Bar)"; flow:to_server,established; content:"User-Agent|3a| RX Bar"; nocase; http_header; reference:url,doc.emergingthreats.net/2003407; classtype:trojan-activity; sid:2003407; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NavExcel Spyware User-Agent (NavHelper)"; flow:to_server,established; content:"User-Agent|3a| NavHelper"; nocase; http_header; reference:url,doc.emergingthreats.net/2005321; classtype:trojan-activity; sid:2005321; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (B Register)"; flow:established,to_server; content:"User-Agent|3a| B Register"; nocase; http_header; reference:url,doc.emergingthreats.net/2007597; classtype:trojan-activity; sid:2007597; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (updatesodui)"; flow:established,to_server; content:"User-Agent|3a| updatesodui"; nocase; http_header; reference:url,doc.emergingthreats.net/2007598; classtype:trojan-activity; sid:2007598; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NewWeb/Sudui.com Spyware User-Agent (aaaabbb)"; flow:established,to_server; content:"User-Agent|3a| aaaabbb"; nocase; http_header; reference:url,doc.emergingthreats.net/2007599; classtype:trojan-activity; sid:2007599; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Recuva User-Agent (OpenPage) - likely trojan dropper"; flow:to_server,established; content:"User-Agent|3a| OpenPage"; http_header; reference:url,doc.emergingthreats.net/2011101; classtype:trojan-activity; sid:2011101; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Personalweb Spyware User-Agent (PWMI/1.0)"; flow:to_server,established; content:"User-Agent|3a| PWMI/"; nocase; http_header; reference:url,doc.emergingthreats.net/2003926; classtype:trojan-activity; sid:2003926; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pivim Multibar User-Agent (Pivim Multibar)"; flow:established,to_server; content:"User-Agent|3a| Pivim"; http_header; reference:url,doc.emergingthreats.net/2009765; classtype:trojan-activity; sid:2009765; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg)"; flow:established,to_server; content:"User-Agent|3a| PopupBlockade"; http_header; reference:url,doc.emergingthreats.net/2008894; classtype:trojan-activity; sid:2008894; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Privacyprotector Related Spyware User-Agent (Ssol NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| Ssol NetInstaller"; http_header; reference:url,doc.emergingthreats.net/2008040; classtype:trojan-activity; sid:2008040; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adload.Generic Spyware User-Agent (ProxyDown)"; flow:to_server,established; content:"User-Agent|3a| ProxyDown"; nocase; http_header; reference:url,doc.emergingthreats.net/2003639; classtype:trojan-activity; sid:2003639; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp)"; flow:established,to_server; content:"User-Agent|3a| Releasexp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009796; classtype:trojan-activity; sid:2009796; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AV2010 Rogue Security Application User-Agent (AV2010)"; flow:to_server,established; content:"User-Agent|3a| AV2010|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008656; classtype:trojan-activity; sid:2008656; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shop at Home Select Spyware User-Agent (Bundle)"; flow: established,to_server; content:"User-Agent|3a| Bundle"; http_header; reference:url,doc.emergingthreats.net/2001702; classtype:policy-violation; sid:2001702; rev:37; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shop at Home Select Spyware User-Agent (SAH)"; flow: established,to_server; content:"SAH Agent"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2001707; classtype:policy-violation; sid:2001707; rev:33; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic.Malware.dld User-Agent (Sickloader)"; flow:to_server,established; content:"User-Agent|3a| Sickloader"; nocase; http_header; reference:url,doc.emergingthreats.net/2003644; classtype:trojan-activity; sid:2003644; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware User-Agent (Sidesearch)"; flow: established,to_server; content:"User-Agent|3a| Sidesearch"; http_header; reference:url,doc.emergingthreats.net/2001869; classtype:trojan-activity; sid:2001869; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidebar Related Spyware User-Agent (Sidebar Client)"; flow:established,to_server; content:"User-Agent|3a| Sidebar"; http_header; reference:url,doc.emergingthreats.net/2008201; classtype:trojan-activity; sid:2008201; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smileware Connection Spyware Related User-Agent (Smileware Connection)"; flow:established,to_server; content:"User-Agent|3a| Smileware"; http_header; reference:url,doc.emergingthreats.net/2008892; classtype:trojan-activity; sid:2008892; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (SogouExplorerMiniSetup)"; flow:to_server,established; content:"User-Agent|3a| SogouExplorerMiniSetup"; nocase; http_header; reference:url,doc.emergingthreats.net/2010675; classtype:trojan-activity; sid:2010675; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRInstaller)"; flow:to_server,established; content:"User-Agent|3a| SRInstaller|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008145; classtype:trojan-activity; sid:2008145; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SpeedRunner)"; flow:to_server,established; content:"User-Agent|3a| SpeedRunner|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008146; classtype:trojan-activity; sid:2008146; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Speed-runner.com Fake Speed Test User-Agent (SRRecover)"; flow:to_server,established; content:"User-Agent|3a| SRRecover|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2008151; classtype:trojan-activity; sid:2008151; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyDawn.com Fake Anti-Spyware User-Agent (SpyDawn)"; flow:to_server,established; content:"User-Agent|3a| SpyDawn|0d 0a|"; nocase; http_header; reference:url,www.spywareguide.com/spydet_3366_spydawn.html; reference:url,doc.emergingthreats.net/2003499; classtype:trojan-activity; sid:2003499; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer)"; flow:to_server,established; content:"User-Agent|3a| SpyHeal"; nocase; http_header; reference:url,doc.emergingthreats.net/2003399; classtype:trojan-activity; sid:2003399; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Statblaster.com Spyware User-Agent (fetcher)"; flow:to_server,established; content:"User-Agent|3a| fetcher|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2005318; classtype:trojan-activity; sid:2005318; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Informer from RBC)"; flow:to_server,established; content:"Informer from RBC"; fast_pattern:only; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003205; classtype:trojan-activity; sid:2003205; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Download Agent) Possibly Related to TrinityAcquisitions.com"; flow:to_server,established; content:"User-Agent|3a| Download Agent"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003243; classtype:trojan-activity; sid:2003243; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (ms)"; flow:to_server,established; content:"User-Agent|3a| ms|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003497; classtype:trojan-activity; sid:2003497; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (DIALER)"; flow:to_server,established; content:"User-Agent|3a| DIALER"; nocase; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003566; classtype:trojan-activity; sid:2003566; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (update)"; flow:to_server,established; content:"User-Agent|3a| update|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003583; classtype:trojan-activity; sid:2003583; rev:11; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (006)"; flow:established,to_server; content:"User-Agent|3a| 00"; http_header; pcre:"/User-Agent\: 00\d+\x0d\x0a/H"; reference:url,doc.emergingthreats.net/bin/view/Main/2006388; classtype:trojan-activity; sid:2006388; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Dummy)"; flow: established,to_server; content:"User-Agent|3a| Dummy"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007570; classtype:trojan-activity; sid:2007570; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (AntiSpyware) - Likely 2squared.com related"; flow: established,to_server; content:"User-Agent|3a| AntiSpyware"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007575; classtype:trojan-activity; sid:2007575; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware User-Agent (XXX)"; flow:established,to_server; content:"User-Agent|3a| XXX|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007648; classtype:trojan-activity; sid:2007648; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware User-Agent (QdrBi Starter)"; flow:established,to_server; content:"User-Agent|3a| QdrBi Starter|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007659; classtype:trojan-activity; sid:2007659; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware User-Agent (install_s)"; flow:established,to_server; content:"User-Agent|3a| install_"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007666; classtype:trojan-activity; sid:2007666; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware User-Agent (count)"; flow:established,to_server; content:"User-Agent|3a| count|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007667; classtype:trojan-activity; sid:2007667; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Internet Explorer (compatible))"; flow:to_server,established; content:"User-Agent|3a| Internet Explorer (compatible)|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007772; classtype:trojan-activity; sid:2007772; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (microsoft) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| microsoft|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007859; classtype:trojan-activity; sid:2007859; rev:7; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Firefox) - Possible Trojan Downloader"; flow:to_server,established; content:"User-Agent|3a| Firefox|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007868; classtype:trojan-activity; sid:2007868; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Example)"; flow:to_server,established; content:"User-Agent|3a| Example|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:trojan-activity; sid:2007884; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (HTTP_CONNECT)"; flow:to_server,established; content:"User-Agent|3a| HTTP_CONNECT|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007899; classtype:trojan-activity; sid:2007899; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (popup)"; flow:to_server,established; content:"User-Agent|3a| popup|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007946; classtype:trojan-activity; sid:2007946; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (double dashes)"; flow:to_server,established; content:"User-Agent|3a| |2d 2d 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007948; classtype:trojan-activity; sid:2007948; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (2 spaces)"; flow:to_server,established; content:"User-Agent|3a 20 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007993; classtype:trojan-activity; sid:2007993; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Internet)"; flow:to_server,established; content:"User-Agent|3a| Internet|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008013; classtype:trojan-activity; sid:2008013; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Win95)"; flow:to_server,established; content:"Win95"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+Win95/H"; reference:url,doc.emergingthreats.net/bin/view/Main/2008015; classtype:trojan-activity; sid:2008015; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Misspelled Mozilla User-Agent (Mozila)"; flow:to_server,established; content:"User-Agent|3a| Mozila"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008210; classtype:trojan-activity; sid:2008210; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent (FTP)"; flow: to_server,established; content:"User-Agent|3a| Ftp|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008735; classtype:trojan-activity; sid:2008735; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (bdsclk) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent|3a| bdsclk"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008743; classtype:trojan-activity; sid:2008743; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (IE_6.0)"; flow:to_server,established; content:"User-Agent|3a| IE_6.0"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009021; classtype:trojan-activity; sid:2009021; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (FileDownloader)"; flow:to_server,established; content:"User-Agent|3a| FileDownloader"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2009027; classtype:trojan-activity; sid:2009027; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (get_site1)"; flow:to_server,established; content:"User-Agent|3a| get_site"; http_header; reference:url,doc.emergingthreats.net/2009111; classtype:trojan-activity; sid:2009111; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (GETJOB)"; flow:to_server,established; content:"User-Agent|3a| GETJOB"; http_header; reference:url,doc.emergingthreats.net/2009124; classtype:trojan-activity; sid:2009124; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Mozilla/4.8 ru)"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.8 [ru] (Windows NT 6.0|3b| U)|0d 0a|"; fast_pattern:12,17; http_header; reference:url,doc.emergingthreats.net/2009438; classtype:trojan-activity; sid:2009438; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (HelpSrvc)"; flow:established,to_server; content:"User-Agent|3a| HelpSrvc|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2009439; classtype:trojan-activity; sid:2009439; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (User Agent) - Likely Hostile"; flow:established,to_server; content:"User-Agent|3a| User Agent"; http_header; reference:url,doc.emergingthreats.net/2009930; classtype:trojan-activity; sid:2009930; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (ONANDON)"; flow:established,to_server; content:"User-Agent|3a| ONANDON|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2009995; classtype:trojan-activity; sid:2009995; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> any any (msg:"ET MALWARE Suspicious User-Agent (Sme32)"; flow: established, to_server; content:"User-Agent|3a| Sme32|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2010137; classtype:trojan-activity; sid:2010137; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (M0zilla)"; flow:established,to_server; content:"User-Agent|3A 20|M0zilla/4.0|20|(compatible)"; http_header; reference:url,doc.emergingthreats.net/2010265; classtype:trojan-activity; sid:2010265; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (CrazyBro)"; flow:established,to_server; content:"User-Agent|3a| CrazyBro"; nocase; http_header; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,anubis.iseclab.org/?action=result&task_id=14118b80c1b346124c183394d5b3004b1&format=html; reference:url,doc.emergingthreats.net/2010333; classtype:trojan-activity; sid:2010333; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (ie) - Possible Trojan Downloader"; flow:established,to_server; content:"User-Agent|3a| ie|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2007827; classtype:trojan-activity; sid:2007827; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Mozilla User-Agent (Mozilla/0.xx) Inbound"; flow:established,to_server; content:"User-Agent|3a| Mozilla/0."; fast_pattern:11,11; http_header; reference:url,doc.emergingthreats.net/2010904; classtype:bad-unknown; sid:2010904; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Mozilla/4.0 (SP3 WINLD))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 |28|SP3 WINLD|29 0d 0a|"; http_header; fast_pattern:23,14; reference:url,doc.emergingthreats.net/2011238; classtype:trojan-activity; sid:2011238; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (browserbob.com)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| SV1|3b| Made with www.browserbob.com|29 0d 0a|"; fast_pattern:68,20; http_header; classtype:trojan-activity; sid:2011279; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (TALWinInetHTTPClient)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| TALWinInetHTTPClient)|0d 0a|"; fast_pattern:17,20; http_header; classtype:trojan-activity; sid:2011283; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern:48,20; classtype:trojan-activity; sid:2011517; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 4.01|3b| Digital AlphaServer 1000A 4/233|3b| Windows NT|3b| Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase; http_header; fast_pattern:48,20; classtype:trojan-activity; sid:2011518; rev:3; metadata:created_at 2010_09_27, updated_at 2010_09_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE yeps.co.kr Related User-Agent (ISUpd)"; flow:established,to_server; content:"User-Agent|3a| ISUpd"; http_header; reference:url,doc.emergingthreats.net/2008205; classtype:trojan-activity; sid:2008205; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Download Master) - Possible Malware Downloader"; flow:established,to_server; content:"User-Agent|3a| Download Master"; http_header; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.httpuseragent.org/list/Download+Master-n727.htm; reference:url,www.westbyte.com/dm/; reference:url,doc.emergingthreats.net/2011146; classtype:policy-violation; sid:2011146; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (HTTP_Query)"; flow:to_server,established; content:"User-Agent|3a| HTTP_Query|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011678; classtype:trojan-activity; sid:2011678; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (dbcount)"; flow:to_server,established; content:"User-Agent|3a| dbcount|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011679; classtype:trojan-activity; sid:2011679; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE User-Agent (RangeCheck/0.1)"; flow:established,to_server; content:"User-Agent|3a| RangeCheck/0.1|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2011718; classtype:trojan-activity; sid:2011718; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Target Saver Spyware User-Agent (TSA)"; flow: established,to_server; content:"User-Agent|3a| TSA/"; http_header; reference:url,doc.emergingthreats.net/2001871; classtype:trojan-activity; sid:2001871; rev:23; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TryMedia Spyware User-Agent (TryMedia_DM_2.0.0)"; flow:established,to_server; content:"User-Agent|3a| TryMedia_DM_"; nocase; http_header; reference:url,doc.emergingthreats.net/2007600; classtype:trojan-activity; sid:2007600; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UCMore Spyware User-Agent (EI)"; flow: to_server,established; content:"User-Agent|3a| EI|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2001996; classtype:trojan-activity; sid:2001996; rev:15; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE www.vaccinekiller.com Related Spyware User-Agent (VaccineKillerIU)"; flow:established,to_server; content:"User-Agent|3a| VaccineKiller"; http_header; reference:url,doc.emergingthreats.net/2009993; classtype:trojan-activity; sid:2009993; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vombanetwork Spyware User-Agent (VombaProductsInstaller)"; flow:to_server,established; content:"User-Agent|3a| Vomba"; http_header; reference:url,doc.emergingthreats.net/2007869; classtype:trojan-activity; sid:2007869; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WTRecover)"; flow:established,to_server; content:"User-Agent|3a| WTRecover"; http_header; reference:url,doc.emergingthreats.net/2006392; classtype:trojan-activity; sid:2006392; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WTInstaller)"; flow:established,to_server; content:"User-Agent|3a| WTInstaller"; http_header; reference:url,doc.emergingthreats.net/2006393; classtype:trojan-activity; sid:2006393; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win-touch.com Spyware User-Agent (WinTouch)"; flow:established,to_server; content:"User-Agent|3a| WinTouch"; http_header; reference:url,doc.emergingthreats.net/2008141; classtype:trojan-activity; sid:2008141; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WinButler User-Agent (WinButler)"; flow:to_server,established; content:"User-Agent|3a| WinButler|0d 0a|"; http_header; reference:url,www.winbutler.com; reference:url,www.prevx.com/filenames/239975745155427649-0/WINBUTLER.EXE.html; reference:url,doc.emergingthreats.net/2008190; classtype:trojan-activity; sid:2008190; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware User-Agent (WinFixMaster)"; flow:to_server,established; content:"User-Agent|3a| WinFixMaster"; nocase; http_header; reference:url,doc.emergingthreats.net/2003544; classtype:trojan-activity; sid:2003544; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winsoftware.com Fake AV User-Agent (DNS Extractor)"; flow:to_server,established; content:"User-Agent|3a| DNS Extractor"; nocase; http_header; reference:url,doc.emergingthreats.net/2003567; classtype:trojan-activity; sid:2003567; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; content:"User-Agent|3a| WinSoftware"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:trojan-activity; sid:2003527; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WinSoftware.com Spyware User-Agent (NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| NetInstaller"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation,%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003528; classtype:trojan-activity; sid:2003528; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Yodao Desktop Dict)"; flow:to_server,established; content:"User-Agent|3a| Yodao"; http_header; reference:url,doc.emergingthreats.net/2011123; classtype:trojan-activity; sid:2011123; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Spyware User-Agent (host)"; flow: to_server,established; content:"User-Agent|3a| host"; nocase; http_header; pcre:"/User-Agent\:[^\n]+host(ie|oe|oi|ol)/Hi"; reference:url,www.doxdesk.com/parasite/Hotbar.html; reference:url,www.pchell.com/support/hotbar.shtml; reference:url,doc.emergingthreats.net/2002164; classtype:trojan-activity; sid:2002164; rev:13; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zango Cash Spyware User-Agent (ZC-Bridgev26)"; flow:established,to_server; content:"User-Agent|3a| ZC-Bridgev"; http_header; reference:url,doc.emergingthreats.net/2006780; classtype:trojan-activity; sid:2006780; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zango Cash Spyware User-Agent (ZC XML-RPC C++ Client)"; flow:established,to_server; content:"User-Agent|3a| ZC XML-RPC"; http_header; reference:url,doc.emergingthreats.net/2006781; classtype:trojan-activity; sid:2006781; rev:39; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Agent User-Agent (PinballCorp)"; flow:to_server,established; content:"User-Agent|3a| PinballCorp"; nocase; http_header; reference:url,doc.emergingthreats.net/2011691; classtype:trojan-activity; sid:2011691; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZenoSearch Spyware User-Agent"; flow:to_server,established; content:"User-Agent|3a| ["; http_header; pcre:"/User-Agent\: \[.*\][A-F0-9]{2}-[A-F0-9]{2}-[A-F0-9]{2}/Hi"; reference:url,doc.emergingthreats.net/2008279; classtype:trojan-activity; sid:2008279; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (gomtour)"; flow:to_server,established; content:"User-Agent|3a| gomtour|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011087; classtype:trojan-activity; sid:2011087; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (i-scan)"; flow:to_server,established; content:"User-Agent|3a| i-scan"; nocase; http_header; reference:url,doc.emergingthreats.net/2011105; classtype:trojan-activity; sid:2011105; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iWon Spyware (iWonSearchAssistant)"; flow:to_server,established; content:"User-Agent|3a| iWonSearch"; http_header; reference:url,www.spywareguide.com/product_show.php?id=461; reference:url,doc.emergingthreats.net/2002169; classtype:trojan-activity; sid:2002169; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE User-Agent (iexplore)"; flow:established,to_server; content:"User-Agent|3a| iexplore|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2000466; classtype:attempted-recon; sid:2000466; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (lineguide)"; flow:to_server,established; content:"User-Agent|3a| lineguide"; nocase; http_header; reference:url,doc.emergingthreats.net/2011106; classtype:trojan-activity; sid:2011106; rev:5; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Download UBAgent) - lop.com and other spyware"; flow:to_server,established; content:"Download UBAgent"; http_header; fast_pattern:only; reference:url,www.spywareinfo.com/articles/lop/; reference:url,doc.emergingthreats.net/2003345; classtype:trojan-activity; sid:2003345; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Worm.Pyks HTTP C&C Traffic User-Agent (skw00001)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| skw000"; http_header; reference:url,doc.emergingthreats.net/2003588; classtype:trojan-activity; sid:2003588; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:trojan-activity; sid:2011297; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (C\\WINDOWS\\system32\\NetLogom.exe)"; flow:established,to_server; content:"User-Agent|3a| C|3a 5c|WINDOWS|5c|system32|5c|NetLogom.exe"; http_header; classtype:bad-unknown; sid:2011334; rev:6; metadata:created_at 2010_09_28, updated_at 2010_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| http-get-demo|0d 0a|"; http_header; classtype:trojan-activity; sid:2011392; rev:4; metadata:created_at 2010_09_28, updated_at 2010_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Microsoft Internet Explorer 6.0) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| Microsoft Internet Explorer 6.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2011393; rev:3; metadata:created_at 2010_09_28, updated_at 2010_09_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (AdVantage)"; flow:established,to_server; content:"User-Agent|3A| AdVantage"; http_header; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012104; rev:4; metadata:created_at 2011_12_27, updated_at 2011_12_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Gbot)"; flow:established,to_server; content:"User-Agent|3a| gbot"; http_header; classtype:trojan-activity; sid:2011872; rev:3; metadata:created_at 2010_10_29, updated_at 2010_10_29;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:trojan-activity; sid:2012172; rev:5; metadata:created_at 2011_01_12, updated_at 2011_01_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (0xa10xa1HttpClient)"; flow:established,to_server; content:"User-Agent|3a 20 a1 a1|HttpClient|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2012298; rev:3; metadata:created_at 2011_02_06, updated_at 2011_02_06;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; content:"|0d 0a 0d 0a|4d5a"; nocase; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; classtype:trojan-activity; sid:2012804; rev:5; metadata:created_at 2011_05_13, updated_at 2011_05_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zugo.com SearchToolbar User-Agent (SearchToolbar)"; flow:established,to_server; content:"User-Agent|3a| Search Toolbar"; http_header; reference:url,www.zugo.com/faq/; reference:url,plus.google.com/109412257237874861202/posts/FXL1y8qG7YF; classtype:trojan-activity; sid:2013333; rev:4; metadata:created_at 2011_07_28, updated_at 2011_07_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Toolbar) Possibly Malware/Spyware"; flow:to_server,established; content:"User-Agent|3a| Toolbar"; http_header; content:!"cf.icq.com"; reference:url,doc.emergingthreats.net/bin/view/Main/2003463; classtype:trojan-activity; sid:2003463; rev:17; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Context Plus Spyware User-Agent (Apropos)"; flow: established,to_server; content:"AproposClient AutoLoader"; http_header; pcre:"/User-Agent\:[^\n]+Apropos/Hi"; reference:url,doc.emergingthreats.net/2001703; classtype:trojan-activity; sid:2001703; rev:34; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Context Plus Spyware User-Agent (Envolo)"; flow: established,to_server; content:"Envolo"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+Envolo/Hi"; reference:url,doc.emergingthreats.net/2001706; classtype:trojan-activity; sid:2001706; rev:35; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE dialno Dialer User-Agent (dialno)"; flow:to_server,established; content:"dialno"; http_header; pcre:"/User-Agent\:[^\n]+dialno/Hi"; threshold: type limit, count 5, seconds 60, track by_src; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347; reference:url,doc.emergingthreats.net/2003387; classtype:trojan-activity; sid:2003387; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropspam.com Spyware Install User-Agent (DSInstall)"; flow:to_server,established; content:"DSInstall"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+DSInstall/iH"; reference:url,doc.emergingthreats.net/2003439; classtype:trojan-activity; sid:2003439; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yourscreen.com Spyware User-Agent (FreezeInet)"; flow:to_server,established; content:"FreezeInet"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+FreezeInet/iH"; reference:url,doc.emergingthreats.net/2003355; classtype:trojan-activity; sid:2003355; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products Spyware User-Agent (MyWay)"; flow: established,to_server; content:"MyWay"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+MyWay/iH"; threshold:type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001864; classtype:trojan-activity; sid:2001864; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamehouse.com User-Agent (GAMEHOUSE.NET.URL)"; flow:to_server,established; content:"GAMEHOUSE"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+GAMEHOUSE/iH"; reference:url,doc.emergingthreats.net/2003347; classtype:trojan-activity; sid:2003347; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ask.com Toolbar/Spyware User-Agent (AskPBar)"; flow:established,to_server; content:"AskPBar"; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskPBar/Hi"; reference:url,doc.emergingthreats.net/2006381; classtype:trojan-activity; sid:2006381; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet Optimizer Activity User-Agent (IOKernel)"; flow: to_server,established; content:" IOKernel/"; http_header; pcre:"/User-Agent\:[^\n]+IOKernel/iH"; reference:url,doc.emergingthreats.net/2001498; classtype:trojan-activity; sid:2001498; rev:30; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Morpheus Spyware Install User-Agent (SmartInstaller)"; flow:to_server,established; content:"SmartInstaller"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+SmartInstaller/iH"; reference:url,doc.emergingthreats.net/2003398; classtype:trojan-activity; sid:2003398; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mysearch.com/Morpheus Bar Spyware User-Agent (Morpheus)"; flow:to_server,established; content:" Morpheus"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Morpheus/iH"; reference:url,doc.emergingthreats.net/2003396; classtype:trojan-activity; sid:2003396; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mysearch.com Spyware User-Agent (iMeshBar)"; flow:to_server,established; content:"iMeshBar"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+iMeshBar/iH"; reference:url,doc.emergingthreats.net/2003406; classtype:trojan-activity; sid:2003406; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyWebSearch Spyware User-Agent (MyWebSearch)"; flow: established,to_server; content:"MyWebSearch"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+MyWebSearch/Hi"; reference:url,doc.emergingthreats.net/2001865; classtype:trojan-activity; sid:2001865; rev:25; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oemji Spyware User-Agent (Oemji)"; flow:to_server,established; content:" Oemji"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Oemji/iH"; reference:url,doc.emergingthreats.net/2003468; classtype:trojan-activity; sid:2003468; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Search Engine 2000 Spyware User-Agent (searchengine)"; flow: established,to_server; content:" searchengine|0d 0a|"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+searchengine/iH"; reference:url,doc.emergingthreats.net/2001867; classtype:trojan-activity; sid:2001867; rev:27; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iDownloadAgent Spyware User-Agent (iDownloadAgent)"; flow:to_server,established; content:" iDownloadAgent"; http_header; pcre:"/User-Agent\:[^\n]+iDownloadAgent/H"; reference:url,doc.emergingthreats.net/2002739; classtype:trojan-activity; sid:2002739; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyaxe Spyware User-Agent (spywareaxe)"; flow:to_server,established; content:"spywareaxe"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+spywareaxe/H"; reference:url,doc.emergingthreats.net/2002808; classtype:trojan-activity; sid:2002808; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware User-Agent (sureseeker)"; flow: established,to_server; content:" sureseeker"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+sureseeker\.com/iH"; reference:url,doc.emergingthreats.net/2001868; classtype:trojan-activity; sid:2001868; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Surfplayer Spyware User-Agent (SurferPlugin)"; flow: established,to_server; content:"SurferPlugin"; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+SurferPlugin/iH"; reference:url,doc.emergingthreats.net/2001870; classtype:trojan-activity; sid:2001870; rev:25; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UCMore Spyware User-Agent (UCmore) "; flow: to_server,established; content:" UCmore"; http_header; pcre:"/User-Agent\:[^\n]+UCmore/iH"; reference:url,doc.emergingthreats.net/2001736; classtype:trojan-activity; sid:2001736; rev:271; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Webbuying.net Spyware Install User-Agent (wbi_v0.90)"; flow:to_server,established; content:" wbi_v0."; fast_pattern:only; http_header; pcre:"/User-Agent\:[^\n]+wbi_v\d/iH"; reference:url,doc.emergingthreats.net/2003441; classtype:trojan-activity; sid:2003441; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE XupiterToolbar Spyware User-Agent (XupiterToolbar)"; flow: to_server,established; content:"XupiterToolbar"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+XupiterToolbar/iH"; reference:url,castlecops.com/tk781-Xupitertoolbar_dll_t_dll.html; reference:url,doc.emergingthreats.net/2002071; classtype:trojan-activity; sid:2002071; rev:16; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Spyware User-Agent (Hotbar)"; flow: established,to_server; content:"|3b| Hotbar"; http_header; pcre:"/User-Agent\:[^\n]+Hotbar/iH"; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001858; classtype:trojan-activity; sid:2001858; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Tools Spyware User-Agent (hbtools)"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:"|3b| HbTools"; http_header; fast_pattern; within:80; reference:url,doc.emergingthreats.net/2003383; classtype:trojan-activity; sid:2003383; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zango Seekmo Bar Spyware User-Agent (Seekmo Toolbar)"; flow:to_server,established; content:"Seekmo"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+Seekmo/iH"; threshold:type both, count 1, seconds 300, track by_src; classtype:trojan-activity; sid:2003397; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AskSearch Toolbar Spyware User-Agent (AskBar)"; flow:to_server,established; content:"|3b| AskBar"; pcre:"/User-Agent\x3a[^\n]+AskBar/iH"; reference:url,doc.emergingthreats.net/2003496; classtype:trojan-activity; sid:2003496; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AskSearch Spyware User-Agent (AskSearchAssistant)"; flow:to_server,established; content:"AskSearch"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+AskSearch/iH"; threshold:type limit, count 2, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2003493; classtype:trojan-activity; sid:2003493; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Common Adware Library ISX User Agent Detected"; flow:established,to_server; content:"User-Agent|3A 20|ISX Download DLL"; fast_pattern:12,16; http_header; reference:url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm; classtype:trojan-activity; sid:2014137; rev:3; metadata:created_at 2012_01_18, updated_at 2012_01_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OpenTrio User-Agent (Open3)"; flow:established,to_server; content:"User-Agent|3A 20|Open3"; http_header; classtype:trojan-activity; sid:2014190; rev:2; metadata:created_at 2012_02_06, updated_at 2012_02_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/MediaGet Checkin"; flow:established,to_server; content:" $EXTERNAL_NET any (msg:"ET MALWARE W32/PlaySushi User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|psi "; http_header; reference:md5,039815a7cb0b7ee52b753a9b79006f97; classtype:trojan-activity; sid:2014261; rev:2; metadata:created_at 2012_02_21, updated_at 2012_02_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; content:"/inst.php?"; http_uri; content:"User-Agent|3a| psi"; http_header; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:trojan-activity; sid:2014262; rev:4; metadata:created_at 2012_01_21, updated_at 2012_01_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameVance Adware Checkin"; flow:established,to_server; content:"/inst.asp?d="; http_uri; content:"&cl="; http_uri; content:"&l="; http_uri; content:"&e="; http_uri; content:"&v="; http_uri; content:"&uid="; http_uri; content:"&time="; http_uri; content:"&win="; http_uri; content:"&ac="; http_uri; content:"&ti="; http_uri; content:"&xv="; http_uri; reference:md5,2609c78efbc325d1834e49553a9a9f89; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014339; rev:2; metadata:created_at 2012_03_08, updated_at 2012_03_08;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent|3a| ManInTheMiddle-Proxy"; http_header; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; classtype:policy-violation; sid:2001586; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RubyFortune Spyware Capabilities User-Agent (Microgaming Install Program) - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| Microgaming Install Program|0d 0a|"; nocase; http_header; reference:url,vil.nai.com/vil/content/v_151034.htm; reference:url,www.emsisoft.com/en/malware/?Adware.Win32.Ruby+Fortune+Casino+3.2.0.25; reference:url,www.threatexpert.com/reports.aspx?find=mgsmup.com; reference:url,doc.emergingthreats.net/2009783; classtype:trojan-activity; sid:2009783; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; content:"/app/VT00/ucmd.php?V="; http_uri; nocase; reference:url,www.a-d-w-a-r-e.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; classtype:trojan-activity; sid:2001735; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; content:"/abx_search_webinstall/abx_search.cab"; http_uri; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; classtype:trojan-activity; sid:2001761; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Abcsearch.com Spyware Reporting"; flow:established,to_server; content:"/cgi-bin/search/mxml.fcgi?"; nocase; http_uri; content:"Terms="; nocase; http_uri; content:"&affiliate="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&Hits_Per_Page="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; classtype:trojan-activity; sid:2003438; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Abox Install Report"; flow: to_server,established; content:"&time="; nocase; http_uri; content:"/new_install?id="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; classtype:trojan-activity; sid:2001441; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Advert-network.com Related Spyware Updating"; flow:established,to_server; content:"/cnconfig.gz?ct="; http_uri; content:"&bp="; http_uri; content:"&vs="; http_uri; content:"&country="; http_uri; content:"&grp="; http_uri; content:"&tcpc="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; classtype:trojan-activity; sid:2008419; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/check.php?tcpc="; http_uri; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; classtype:trojan-activity; sid:2008425; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; content:"?UID="; nocase; http_uri; content:"&DIST="; nocase; http_uri; content:"&NPR="; nocase; http_uri; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; classtype:trojan-activity; sid:2007601; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; content:"/Games/villains.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; classtype:policy-violation; sid:2001228; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; content:"/Games/cakedeal.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; classtype:policy-violation; sid:2001230; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Generic Adware Install Report"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/nsi_install.php?inst_result=success&aff_id="; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2010630; classtype:trojan-activity; sid:2010630; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wintools Download/Configure"; flow: to_server,established; content:"/WTools"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; classtype:trojan-activity; sid:2001450; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; content:"/SyncAkSoft.da_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; classtype:trojan-activity; sid:2001530; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; content:"/akcore.dl_"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; classtype:trojan-activity; sid:2001737; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; content:"/image_server.cgi?size=small&url=http|3a|/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; classtype:trojan-activity; sid:2002349; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alexa Spyware Reporting"; flow:established,to_server; content:"/data?"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&dat="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&uid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; classtype:trojan-activity; sid:2003219; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alexa Spyware Redirecting User"; flow:established,to_server; content:"/redirect?http"; nocase; http_uri; content:"Host|3a| redirect.alexa.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; classtype:trojan-activity; sid:2003619; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; content:"/ie/updatenew/"; http_uri; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; classtype:trojan-activity; sid:2000903; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; classtype:trojan-activity; sid:2001999; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baidu.com Spyware Bar Reporting"; flow:to_server,established; content:"/update/barcab/"; nocase; http_uri; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; classtype:policy-violation; sid:2003340; rev:5; metadata:created_at 2010_07_30, updated_at 2017_04_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; content:"/update/cab/loadmovie.swf"; nocase; http_uri; content:"bar.baidu.com"; nocase; http_header; fast_pattern; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; classtype:policy-violation; sid:2003341; rev:5; metadata:created_at 2010_07_30, updated_at 2017_04_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; content:"/cpro/ui/ui"; nocase; http_uri; content:"baidu.com"; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; metadata: former_category MALWARE; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; classtype:trojan-activity; sid:2003578; rev:8; metadata:created_at 2010_07_30, updated_at 2017_04_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baidu.com Spyware Bar Activity"; flow:to_server,established; content:"/n?cmd="; nocase; http_uri; content:"&class="; nocase; http_uri; content:"&pn="; nocase; http_uri; content:"&tn"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; classtype:trojan-activity; sid:2003605; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; content:"/sobar/sobar"; nocase; http_uri; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; classtype:trojan-activity; sid:2003630; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adaware.BarACE Checkin and Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|2E|php|3F|zone="; http_uri; nocase; content:"|26|name="; nocase; http_uri; content:"|26|bpid="; nocase; http_uri; content:"|26|bnum="; nocase; http_uri; content:"|26|pid="; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; classtype:trojan-activity; sid:2008318; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bargain Buddy"; flow: to_server,established; content:"/download/bargin_buddy"; nocase; http_uri; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; classtype:trojan-activity; sid:2000574; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; classtype:policy-violation; sid:2001885; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; content:"/checkin.php?"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"version="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; classtype:trojan-activity; sid:2003209; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best-targeted-traffic.com Spyware Install"; flow:established,to_server; content:"/install.php?"; nocase; http_uri; content:"&pais="; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; classtype:trojan-activity; sid:2003210; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; content:"/ping.php?"; nocase; http_uri; content:"ul=http"; nocase; http_uri; content:"unq="; nocase; http_uri; content:"User-Agent|3a| Opera "; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; classtype:trojan-activity; sid:2003211; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; content:"/vxgame1/vxv.php"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; classtype:trojan-activity; sid:2002956; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; content:"/win32.exe"; nocase; http_uri; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; classtype:trojan-activity; sid:2002957; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bestcount.net Spyware Exploit Download"; flow:established,to_server; content:"/sploit.anr"; nocase; http_uri; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; classtype:trojan-activity; sid:2003153; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bestcount.net Spyware Data Upload"; flow:established,to_server; content:"/objects/ocget.dll"; nocase; http_uri; content:"mybest"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; classtype:trojan-activity; sid:2003154; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Binet (download complete)"; flow: to_server,established; content:"/download/cabs/"; nocase; http_uri; content:"download_complete.htm"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; classtype:trojan-activity; sid:2000366; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Binet (set_pix)"; flow: to_server,established; content:"/download/cabs/set_pix.php"; nocase; http_uri; content:"abetterinternet.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; classtype:trojan-activity; sid:2000367; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Binet (randreco.exe)"; flow: to_server,established; content:"/download/cabs/RANDRECO/randreco.exe"; nocase; http_uri; content:"abetterinternet.com|0d 0a|"; nocase; http_header; fast_pattern; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; classtype:trojan-activity; sid:2000371; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Binet Ad Retrieval"; flow: to_server,established; content:"/bba/flashimages/"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; classtype:trojan-activity; sid:2000593; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Twaintec Download Attempt"; flow: to_server,established; content:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; classtype:trojan-activity; sid:2001198; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Twaintec Ad Retrieval"; flow: to_server,established; content:"/twain/servlet/Twain?adcontext="; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; classtype:trojan-activity; sid:2001199; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Twaintec Reporting Data"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; http_uri; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; classtype:trojan-activity; sid:2001216; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BInet Information Upload"; flow: to_server,established; content:"/bi/servlet/ThinstallPre"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; classtype:trojan-activity; sid:2001339; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BInet Information Install Report"; flow: to_server,established; content:"/bi/servlet/ThinstallPost"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; classtype:trojan-activity; sid:2001576; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bfast.com Spyware"; flow: to_server,established; content:"/bfast/serve?bfmid"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; classtype:policy-violation; sid:2001398; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/zuzu.php?&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; classtype:trojan-activity; sid:2005319; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bonziportal Traffic"; flow: to_server,established; content:"/bonziportal/bin/"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; classtype:trojan-activity; sid:2001345; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bravesentry.com Fake Antispyware Download"; flow:established,to_server; content:"/bravesentry.exe"; nocase; http_uri; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; classtype:trojan-activity; sid:2002954; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; content:"Host|3a| "; http_header; content:".bravesentry.com"; nocase; http_header; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; classtype:trojan-activity; sid:2003541; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host|3a| www.bullseye-network.com"; nocase; http_header; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; classtype:trojan-activity; sid:2001501; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bundleware Spyware Download"; flow: to_server,established; content:"/app/InternetFuel/AppWrap.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; classtype:policy-violation; sid:2001451; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer|3a| ms-its|3a|mhtml|3a|file|3a|//C|3a|counter.mht!http|3a|//"; nocase; content:"/counter/HELP3.CHM|3a 3a|/help.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; classtype:trojan-activity; sid:2001452; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bundleware Spyware cab Download"; flow: to_server,established; content:"/counter/counter_v3.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; classtype:trojan-activity; sid:2001458; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; content:"/js.php?event_type=onload&recurrence="; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; classtype:trojan-activity; sid:2002088; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; content:"/download/CnsMin"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; classtype:trojan-activity; sid:2003417; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; content:"/download/CnsUp"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; classtype:trojan-activity; sid:2003418; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; content:"/download/autolvsw.ini?"; nocase; http_uri; content:"?t="; nocase; http_uri; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; classtype:trojan-activity; sid:2003419; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; content:"/x/in.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; classtype:trojan-activity; sid:2002089; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; content:"/x/tbd_web.php?wm="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; classtype:trojan-activity; sid:2002095; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CWS Trafcool.biz Related Installer"; flow:established,to_server; content:"/progs_traff/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; classtype:trojan-activity; sid:2002931; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; content:"/?advid="; nocase; http_uri; content:"spy-sheriff.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; classtype:trojan-activity; sid:2002933; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; content:"/download/cabs/THNALL1L/thnall1l.exe"; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; classtype:trojan-activity; sid:2001521; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casino on Net Install"; flow: to_server,established; content:"/newdownload/newsetup/"; nocase; http_uri; content:"casinone"; nocase; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; classtype:trojan-activity; sid:2001041; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casino on Net Reporting Data"; flow: to_server,established; content:"/logs.asp?MSGID=100"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; classtype:trojan-activity; sid:2001031; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casino on Net Ping Hit"; flow: to_server,established; content:"/Ping/Ping.txt"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; classtype:trojan-activity; sid:2001032; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casino on Net Data Download"; flow: to_server,established; content:"/sdl/casinov"; nocase; http_uri; reference:url,www.888casino.net; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; classtype:trojan-activity; sid:2001033; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Catchonlife.com Spyware"; flow: to_server,established; content:"/nw3/r1.txt?"; http_uri; content:"catchonlife"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; classtype:trojan-activity; sid:2003358; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; content:"/notify.php?pid=remupd&module=install&v="; nocase; http_uri; content:"&result=1&message=Success"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; classtype:trojan-activity; sid:2001494; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; classtype:trojan-activity; sid:2001500; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comet Systems Spyware Traffic"; flow: to_server,established; content:"/cc/"; http_uri; content:"Host|3a| update.cc.cometsystems.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; classtype:policy-violation; sid:2000931; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CometSystems Spyware"; flow: to_server,established; content:"/comet/request"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; classtype:policy-violation; sid:2001050; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; content:"/context/1/up_context_1.xml"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; classtype:policy-violation; sid:2001655; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host|3a| log.cc.cometsystems.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; classtype:policy-violation; sid:2001658; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comet Systems Spyware Update Download"; flow: to_server,established; content:"/cc/5/masterconfig/"; nocase; http_uri; content:"/update.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; classtype:policy-violation; sid:2002351; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comet Systems Spyware Context Report"; flow: to_server,established; content:"/context/1/up_context_1.xml?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; classtype:policy-violation; sid:2002352; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Comet Systems Spyware Cursor DL"; flow: to_server,established; content:"/czcontent/cursor"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; classtype:policy-violation; sid:2003307; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; content:"/Message/"; http_uri; content:"User-Agent|3a| EI"; nocase; http_header; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; classtype:trojan-activity; sid:2003218; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Content-loader.com Spyware Install"; flow: to_server,established; content:"/getexe/?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; classtype:trojan-activity; sid:2003074; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Content-loader.com Spyware Install 2"; flow: to_server,established; content:"/getdata/getdata.php?wmid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; classtype:trojan-activity; sid:2003075; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; content:"/fdial2.php?o="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; classtype:trojan-activity; sid:2003076; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Context Plus Spyware Install"; flow: established,to_server; content:"/AproposClientInstaller.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; classtype:trojan-activity; sid:2001704; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ContextPanel Reporting"; flow: to_server,established; content:"/cplog/?logtype="; nocase; http_uri; content:"contextpanel.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; classtype:policy-violation; sid:2001456; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoolDeskAlert Spyware Activity"; flow:to_server,established; content:"/alert/get_xml"; nocase; http_uri; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; classtype:trojan-activity; sid:2003462; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; classtype:trojan-activity; sid:2001479; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"pcpeek-webcam-sex.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; classtype:trojan-activity; sid:2002766; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"businessopportunityseeker.biz"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; classtype:trojan-activity; sid:2002767; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host|3a|"; nocase; http_header; content:"studiolacase.com"; nocase; http_header; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; classtype:trojan-activity; sid:2002769; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; content:"/msits.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; classtype:trojan-activity; sid:2002770; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; content:"/msys.exe"; nocase; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; classtype:trojan-activity; sid:2002771; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Couponage Download"; flow: to_server,established; content:".dl_"; nocase; http_uri; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; classtype:policy-violation; sid:2001453; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; classtype:policy-violation; sid:2001454; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DelFin Project Spyware (payload)"; flow: established,to_server; content:"/in/payload/payload.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; classtype:trojan-activity; sid:2002816; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DelFin Project Spyware (setup)"; flow: established,to_server; content:"/in/defaults/setup.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; classtype:trojan-activity; sid:2002817; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DelFin Project Spyware (setup-alt)"; flow: established,to_server; content:"/in/defaults/setup-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; classtype:trojan-activity; sid:2003472; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DelFin Project Spyware (payload-alt)"; flow: established,to_server; content:"/in/payload/payload-alt.nfo?"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; classtype:trojan-activity; sid:2003473; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; content:"cgi-bin/ezl_kws.fcgi?cat"; nocase; http_uri; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; classtype:trojan-activity; sid:2001884; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deskwizz.com Spyware Install INI Download"; flow: to_server,established; content:"/GetAd/tekID"; nocase; http_uri; content:".ini"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; classtype:policy-violation; sid:2003445; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Deskwizz.com Spyware Install Code Download"; flow: to_server,established; content:"/ax/acdt-pid"; nocase; http_uri; content:".exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; classtype:policy-violation; sid:2003444; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; content:".php?appname="; nocase; http_uri; content:"&appseq="; nocase; http_uri; content:"&mac="; nocase; http_uri; content:"&type="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; classtype:trojan-activity; sid:2007978; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/nchkmac.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; classtype:trojan-activity; sid:2006427; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; content:"/open.php?sn="; nocase; http_uri; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; classtype:trojan-activity; sid:2006428; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkblack.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; classtype:trojan-activity; sid:2006431; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; content:"/ret.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&cname="; nocase; http_uri; content:"&cn="; nocase; http_uri; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; classtype:trojan-activity; sid:2006432; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/api_result.php?"; nocase; http_uri; content:"mode="; nocase; http_uri; content:"&PartID="; nocase; http_uri; content:"&mac="; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; classtype:trojan-activity; sid:2006433; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/chkvs.php?mac=0"; nocase; http_uri; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; classtype:trojan-activity; sid:2007642; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dollarrevenue.com Spyware Code Download"; flow:established,to_server; content:"/bundle/drsmartload.exe"; nocase; http_uri; reference:url,dollarrevenue.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; classtype:trojan-activity; sid:2002967; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TROJAN_VB Microjoin"; flow:established,to_server; content:"/bundle/loader.exe"; nocase; http_uri; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; classtype:trojan-activity; sid:2003084; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dropspam.com Spyware Reporting"; flow:established,to_server; content:"/reportaddon.cgi?"; nocase; http_uri; content:"report.cgi?"; nocase; http_uri; content:"user="; nocase; http_uri; content:"software="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; classtype:trojan-activity; sid:2003440; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E2give Related Reporting Install"; flow: to_server,established; content:"/count/count.php?&mm"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; classtype:trojan-activity; sid:2001416; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E2give Related Receiving Config"; flow: to_server,established; content:"/config/?"; nocase; http_uri; content: "v=5"; nocase; http_uri;content: "n=mm2"; nocase; http_uri; content: "i="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; classtype:trojan-activity; sid:2001417; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E2give Related Downloading Code"; flow: to_server,established; content:"/soft/unstall.exe"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; classtype:trojan-activity; sid:2001418; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E2give Related Reporting"; flow: to_server,established; content:"/count/count.php?&mm2cpr"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; classtype:trojan-activity; sid:2001423; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE E2give Spyware Reporting (check url)"; flow: to_server,established; content:"/go/check?build="; nocase; http_uri; content:"&source="; nocase; http_uri; content:"&merchants="; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; classtype:trojan-activity; sid:2003504; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; content:"/files/eSyndicateInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; classtype:trojan-activity; sid:2002009; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; content:"/files/SEPInst.exe"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; classtype:trojan-activity; sid:2002010; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; content:"/partner/rt.php?q="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; classtype:trojan-activity; sid:2002317; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; content:"/partner/rt.php?cat="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; classtype:trojan-activity; sid:2002318; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; content:"/partner/bom.php?e="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; classtype:trojan-activity; sid:2002319; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ebates Install"; flow: to_server,established; content:"/ebates.exe"; http_uri; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; classtype:policy-violation; sid:2001038; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Effectivebrands.com Spyware Checkin"; flow:established,to_server; content:"/iis2ebs.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; classtype:trojan-activity; sid:2003304; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; content:"/iis2ucms.asp"; nocase; http_uri; content:"effectivebrands.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; classtype:trojan-activity; sid:2003360; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Elitemediagroup.net Spyware Config Download"; flow:established,to_server; content:"/bundle.php?aff="; nocase; http_uri; reference:url,elitemediagroup.net; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; classtype:trojan-activity; sid:2002966; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Epilot.com Spyware Reporting"; flow:established,to_server; content:"/getresults.aspx"; nocase; http_uri; content:"?aff="; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&keyword="; nocase; http_uri; content:"&source="; nocase; http_uri; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; classtype:trojan-activity; sid:2003414; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Epilot.com Spyware Reporting Clicks"; flow:established,to_server; content:"/click.aspx?"; nocase; http_uri; content:"?xp="; nocase; http_uri; content:"Host|3a| "; nocase; http_header; content:"epilot.com"; nocase; http_header; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; classtype:trojan-activity; sid:2003416; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE F1Organizer Install Attempt"; flow: to_server,established; content:"/f1/objects/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; classtype:trojan-activity; sid:2000585; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE F1Organizer Reporting"; flow: to_server,established; content:"/f1/audit/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; classtype:trojan-activity; sid:2000582; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE F1Organizer Config Download"; flow: to_server,established; content:"/F1/Cmd4F1"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; classtype:trojan-activity; sid:2001221; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Findwhat.com Spyware (clickthrough)"; flow: to_server,established; content:"/bin/findwhat.dll?clickthrough&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; classtype:trojan-activity; sid:2003579; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Findwhat.com Spyware (sendmedia)"; flow: to_server,established; content:"/bin/findwhat.dll?sendmedia&"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; classtype:trojan-activity; sid:2003581; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FlashTrack Agent Retrieving New App Code"; flow: to_server,established; content:"/apps/r.exe"; http_uri; reference:url,www.flashpoint.bm; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; classtype:trojan-activity; sid:2000936; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Flingstone Spyware Install (cxtpls)"; flow: established,to_server; content:"/softwares/cxtpls_loader_ff.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; classtype:trojan-activity; sid:2001710; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; content:"/softwares/SportsInteraction.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; classtype:trojan-activity; sid:2001705; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Freeze.com Spyware/Adware (Install)"; flow: to_server,established; content:"/checkhttp.htm"; nocase; http_uri; content:"User-Agent|3a| Wise"; nocase; http_header; content:"freeze.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; classtype:policy-violation; sid:2002840; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; content:"/ping/?shortname="; nocase; http_uri; content:"User-Agent|3a| Wise"; nocase; http_header; content:"freeze.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; classtype:policy-violation; sid:2002841; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W3i Related Adware/Spyware"; flow:established,to_server; content:"GET"; nocase; http_method; content:"shortname="; nocase; http_uri; content:"os="; nocase; http_uri; content:"v="; nocase; http_uri; content:"browsers="; nocase; http_uri; content:"readable="; nocase; http_uri; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; classtype:trojan-activity; sid:2009705; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products Install"; flow: to_server,established; content:"/install_ie.jsp?product="; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; classtype:policy-violation; sid:2000599; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products SmileyCentral"; flow: to_server,established; content:"/images/smileycentral/"; nocase; http_uri; content:"FunWebProducts"; nocase; http_header; fast_pattern; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; classtype:policy-violation; sid:2001013; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; classtype:policy-violation; sid:2002305; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; content:"/SmileyChooser.html?"; nocase; http_uri; content:"v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; classtype:policy-violation; sid:2002310; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products Cursorchooser Spyware"; flow: to_server,established; content:"/CursorChooser.html?"; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; classtype:policy-violation; sid:2002306; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; content:"/download/install_ie_sp2.jhtml?"; nocase; http_uri; content:"product="; nocase; http_uri; content:"utmCall="; nocase; http_uri; content:"bOrganic="; nocase; http_uri; reference:url,www.myfuncards.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; classtype:trojan-activity; sid:2003151; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamehouse.com Activity"; flow: to_server,established; content:"/game-quit-count.jsp?ghgamecode="; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; classtype:trojan-activity; sid:2003348; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; http_header; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; classtype:policy-violation; sid:2000025; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gator New Code Download"; flow: to_server,established; content:"/gatorcme/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; classtype:policy-violation; sid:2000597; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; content:".scr"; nocase; http_uri; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; classtype:trojan-activity; sid:2001850; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; content:".exe"; nocase; http_uri; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; classtype:trojan-activity; sid:2002093; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell|3a|windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; classtype:misc-attack; sid:2000519; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell|3a|winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; classtype:misc-attack; sid:2000520; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlobalPhon.com Dialer"; flow: to_server,established; content:"Host|3a| www.globalphon.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; classtype:trojan-activity; sid:2001656; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlobalPhon.com Dialer Download"; flow: to_server,established; content:"/dialer/internazionale_ver"; nocase; http_uri; content:".CAB"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; classtype:trojan-activity; sid:2001657; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; content:"/add_ocx.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; classtype:trojan-activity; sid:2001660; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GrandstreetInteractive.com Install"; flow: to_server,established; content:"/tdtb.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; classtype:trojan-activity; sid:2002012; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GrandstreetInteractive.com Update"; flow: to_server,established; content:"/wupdsnff.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; classtype:trojan-activity; sid:2002013; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE host-domain-lookup.com spyware related Checkin"; flow:established,to_server; content:"?udata="; http_uri; content:"mission_supgrade|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; classtype:trojan-activity; sid:2007749; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE host-domain-lookup.com spyware related Start Report"; flow:established,to_server; content:"?udata="; http_uri; content:"program_started|3a|"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; classtype:trojan-activity; sid:2007750; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Install (2)"; flow: to_server,established; content:"/install/process/upsale/hotbar"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; classtype:trojan-activity; sid:2000921; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Install (3)"; flow: to_server,established; content:"/installs/hotbar/programs/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; classtype:trojan-activity; sid:2000922; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; http_method; content:"/reports/hotbar/"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; classtype:trojan-activity; sid:2000923; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Agent Upgrading"; flow: to_server,established; content:"/updates/hotbar/"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; classtype:trojan-activity; sid:2000924; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Agent Activity"; flow: to_server,established; content:"/dynamic/hotbar/"; nocase; http_uri; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; classtype:trojan-activity; sid:2000929; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Agent Adopt/Zango"; flow: to_server,established; content:"/adopt.jsp?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"cid="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; classtype:trojan-activity; sid:2003364; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar.com Related Spyware Install Report"; flow:established,to_server; content:"/ciconfig.aspx?did="; http_uri; content:"&brandid="; http_uri; content:"&os="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; classtype:trojan-activity; sid:2008917; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; content:"/counter/help.chm"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; classtype:trojan-activity; sid:2002090; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; content:"/l/gpr.php?"; nocase; http_uri; content: "ID1="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; classtype:trojan-activity; sid:2002096; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; content:"/no_pop.asp?"; nocase; http_uri; content: "id="; nocase; http_uri; content:"globalphon.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; classtype:trojan-activity; sid:2001659; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; content:"/ist/scripts/log_downloads.php"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; classtype:trojan-activity; sid:2000927; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; content:"/ist/bars/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; classtype:trojan-activity; sid:2000928; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; content:"/ist/softwares/"; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; classtype:trojan-activity; sid:2001395; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incredisearch.com Spyware Ping"; flow: established,to_server; content:"/ping.asp"; nocase; http_uri; content:"incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; classtype:trojan-activity; sid:2001793; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host|3a| www.incredisearch.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; classtype:trojan-activity; sid:2001794; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Instafinder.com spyware"; flow: established,to_server; content:"/404/update/instafi"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; classtype:trojan-activity; sid:2003376; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet Fuel.com Install"; flow: to_server,established; content:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; classtype:trojan-activity; sid:2002015; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet Optomizer Reporting Data"; flow: to_server,established; content:"/io/downloads/"; nocase; http_uri; content:"/wsi8/optimize"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; classtype:policy-violation; sid:2001308; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE jmnad1.com Spyware Install (1)"; flow: to_server,established; content:"/install.qg?"; nocase; http_uri; content: "ID="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,wilderssecurity.com/threads/hijack-this-log-sandoxer-jmnad1.42146/; classtype:trojan-activity; sid:2002019; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE jmnad1.com Spyware Install (2)"; flow: to_server,established; content:"/download/mw_4s_stub.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; classtype:trojan-activity; sid:2002016; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar.com Related Spyware Activity Report"; flow:established,to_server; content:"/trackedevent.aspx?eid="; http_uri; content:"&brand="; http_uri; content:"&os="; http_uri; content:"&mt="; http_uri; content:"&pkg_ver="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; classtype:trojan-activity; sid:2008918; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; content:"/sdfg.jar"; http_uri; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; classtype:trojan-activity; sid:2010438; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Keenvalue Update Engine"; flow: to_server,established; content:"Host|3a|secure.keenvalue.com"; http_header; content:"|0d0a|Extension|3a|Remote-Passphrase"; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; classtype:trojan-activity; sid:2000932; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Thespyguard.com Spyware Install"; flow:established,to_server; content:"/soft/installers/spyguardf.php"; nocase; http_uri; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; classtype:trojan-activity; sid:2003201; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hitvirus Fake AV Install"; flow:established,to_server; content:"/soft/installers/hitvirusf.php"; nocase; http_uri; content:"get.hitvirus.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; classtype:trojan-activity; sid:2003203; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Thespyguard.com Spyware Updating"; flow:established,to_server; content:"/soft/update/get.php"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"mail="; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; classtype:trojan-activity; sid:2003204; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KMIP.net Spyware"; flow:established,to_server; content:"/iesocks?peer_id="; nocase; http_uri; content:"ver="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; classtype:trojan-activity; sid:2003298; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KMIP.net Spyware 2"; flow:established,to_server; content:"/sp?c=N&i="; nocase; http_uri; content:"&v="; nocase; http_uri; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; classtype:trojan-activity; sid:2003526; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; content:"/statics.php?maddr="; nocase; http_uri; content:"&ipaddr="; nocase; http_uri; content:"&ovt="; nocase; http_uri; content:"&verno="; nocase; http_uri; content:"&action="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; classtype:trojan-activity; sid:2008067; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; content:"/alive.php?ovt=new_link"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; classtype:trojan-activity; sid:2008069; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LocalNRD Spyware Checkin"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content: "adcontext"; nocase; http_uri; reference:url,www.localnrd.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; classtype:trojan-activity; sid:2001340; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer|3a| Look2Me"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; classtype:trojan-activity; sid:2001499; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; content:"/update.php?v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&vs="; nocase; http_uri; content:"Host|3a| www.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; classtype:trojan-activity; sid:2003611; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/madownload.php?&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"Host|3a| download.MalwareAlarm.com"; nocase; http_header; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; classtype:trojan-activity; sid:2003612; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore.com Spyware Configuration Access"; flow: to_server,established; content:"/oss/remoteconfig.asp"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; classtype:policy-violation; sid:2000902; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore.com Spyware Access"; flow: to_server,established; content:"proxyhttp|0b|marketscore|03|com"; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; classtype:policy-violation; sid:2001359; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore Spyware Uploading Data"; flow: to_server,established; content:"/scripts/contentidpost.dll"; nocase; http_uri; content:"OSS-Proxy"; nocase; http_header; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; classtype:policy-violation; sid:2003253; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore.com Spyware Upgrading"; flow: to_server,established; content:"/oss/upgrchk_2a.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; classtype:policy-violation; sid:2001587; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore.com Spyware Activity (1)"; flow: to_server,established; content:"/oss/dittorules.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; classtype:policy-violation; sid:2001588; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MarketScore.com Spyware Activity (2)"; flow: to_server,established; content:"/oss/routerrules2.asp"; nocase; http_uri; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; classtype:policy-violation; sid:2001589; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matcash Trojan Related Spyware Code Download"; flow:established,to_server; content:"User-Agent|3a| Windows 5.1 (2600)|3b| DMCP"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; classtype:trojan-activity; sid:2008759; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; content:"/upd/check?version="; nocase; http_uri; content:"&localeId="; nocase; http_uri; content:"&affid="; nocase; http_uri; content:"&updatevalue="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; classtype:trojan-activity; sid:2003344; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Media Pass ActiveX Install"; flow: to_server,established; content:"/MediaPassK.exe"; nocase; http_uri; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; classtype:policy-violation; sid:2001783; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MediaTickets Download"; flow: to_server,established; content:"MediaTicketsInstaller.cab"; http_uri; content:"Host|3a| www.mt-download.com"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; classtype:trojan-activity; sid:2001448; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MediaTickets Spyware Install"; flow: to_server,established; content:"/mtrslib2.js"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; classtype:trojan-activity; sid:2001481; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medialoads.com Spyware Config"; flow: to_server,established; content:"/dw/cgi/download.cgi?"; nocase; http_uri; content:"sn="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; classtype:trojan-activity; sid:2001503; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; content:"/dw/cgi/register.cgi?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"Host|3a|config.medialoads.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; classtype:trojan-activity; sid:2001509; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; content:"/dw/cgi/country.cgi"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"NSISDL"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; classtype:trojan-activity; sid:2001507; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Metarewards Spyware Activity"; flow: to_server,established; content:"Host|3a| www.metareward.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; classtype:policy-violation; sid:2001666; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; content:"/dlhelper.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; classtype:trojan-activity; sid:2001641; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Microgaming.com Spyware Installation (2)"; flow: established,to_server; content:"/DownloadHNew.asp?"; nocase; http_uri; content:"btag="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; classtype:trojan-activity; sid:2001643; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Microgaming.com Spyware Reporting Installation"; flow: established,to_server; content:"/dlhelper/downloadlogger2.asp?"; nocase; http_uri; content:"time="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; classtype:trojan-activity; sid:2001644; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Microgaming.com Spyware Casino App Install"; flow: established,to_server; content:"/viper/thunderluck/00"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; classtype:trojan-activity; sid:2001645; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mindset Interactive Install (1)"; flow: to_server,established; content:"/mindset5/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; classtype:trojan-activity; sid:2000583; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mindset Interactive Install (2)"; flow: to_server,established; content:"/mindset/data"; nocase; http_uri; reference:url,www.mindsetinteractive.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; classtype:trojan-activity; sid:2000584; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirarsearch.com Spyware Posting Data"; flow:established,to_server; content:"/v70match.cgi?"; nocase; http_uri; content:"key1="; nocase; http_uri; content:"&key2="; nocase; http_uri; content:"&match="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; classtype:trojan-activity; sid:2003577; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware-Mirar Reporting (BAR)"; flow:to_server,established; content:"download.cgi?BUILDNAME="; nocase; http_uri; content:"&AFFILIATE="; http_uri; content:"&ID="; http_uri; content:"&ERROR=0"; http_uri; content:"User-Agent|3a| BAR"; http_header; reference:url,doc.emergingthreats.net/2009234; classtype:policy-violation; sid:2009234; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE My-Stats.com Spyware Checkin"; flow: established,to_server; content:"/ad-partner/SelectConfirm.php?"; nocase; http_uri; content:"dummy="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; classtype:misc-activity; sid:2001747; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/CSetup_xp.cab"; http_uri; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; classtype:trojan-activity; sid:2007996; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MySideSearch.com Spyware Install"; flow:established,to_server; content:".php?aff=mysidesearch&act=install"; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; classtype:trojan-activity; sid:2008915; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MySideSearch Browser Optimizer"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)"; nocase; http_header; content:".php?aff="; nocase; http_uri; content:"&act="; nocase; http_uri; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; classtype:trojan-activity; sid:2009524; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE My Search Spyware Config Download"; flow: to_server,established; content:"/ms"; nocase; http_uri; content:"cfg.jsp?"; http_uri; content:"v="; nocase; http_uri; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; classtype:trojan-activity; sid:2002839; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; content:"/speedbar/mySpeedbarCfg"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; classtype:trojan-activity; sid:2000600; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; content:"/mySpeedbarCfg2.jsp"; nocase; http_uri; content:"MyWebSearch"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; classtype:trojan-activity; sid:2003222; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; content:"/jsp/cfg_redir2.jsp?id="; nocase; http_uri; content:"url=http"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; classtype:trojan-activity; sid:2003617; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE New.net Spyware updating"; flow:established,to_server; content:"/download/NewDotNet/"; nocase; http_uri; content:"/upgrade.cab?"; nocase; http_uri; content:"upg="; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; classtype:trojan-activity; sid:2003240; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE New.net Spyware Checkin"; flow:established,to_server; content:"/?version="; nocase; http_uri; content:"discard_tag="; nocase; http_uri; content:"source="; nocase; http_uri; content:"ptr="; nocase; http_uri; content:"br=NewDotNet"; nocase; http_uri; content:"ec="; nocase; http_uri; reference:url,www.new.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; classtype:trojan-activity; sid:2003241; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Oenji.com Install"; flow: to_server,established; content:"/Bundled/OemjiInstall"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; classtype:trojan-activity; sid:2001538; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyspotter.com Access Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".oemji.com"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; classtype:trojan-activity; sid:2001539; rev:11; metadata:created_at 2010_07_30, updated_at 2017_05_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OfferOptimizer.com Spyware"; flow: to_server,established; content:"/ctx/keyword_context.php?"; nocase; http_uri; content:"urlContext=http"; nocase; http_uri; reference:url,www.offeroptimizer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; classtype:policy-violation; sid:2001341; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OneStepSearch Host Activity"; flow: to_server,established; content:"GET"; nocase; http_method; content:"host|3a| upgrade.onestepsearch.net"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; classtype:trojan-activity; sid:2007855; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OutBlaze.com Spyware Activity"; flow: to_server,established; content:"/scripts/adpopper/webservice.main"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; classtype:trojan-activity; sid:2002044; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outerinfo.com Spyware Install"; flow: to_server,established; content:"/ctxad-"; nocase; http_uri; pcre:"/ctxad-\d+\.sig/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; classtype:trojan-activity; sid:2001495; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; content:"/campaigns"; nocase; http_uri; content:"outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; classtype:trojan-activity; sid:2001496; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host|3a| campaigns.outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; classtype:trojan-activity; sid:2001497; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Outerinfo.com Spyware Checkin"; flow: to_server,established; content:"/notify.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"&module="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&result="; nocase; http_uri; content:"&message="; nocase; http_uri; content:"outerinfo.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; classtype:trojan-activity; sid:2003426; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host|3a| download.overpro.com"; nocase; http_header; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; classtype:trojan-activity; sid:2001444; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Overpro Spyware Games"; flow: to_server,established; content:"/blocks/blasterblocks"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; classtype:trojan-activity; sid:2001459; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Overpro Spyware Install Report"; flow: to_server,established; content:"/processInstall.aspx"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; classtype:trojan-activity; sid:2002017; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"action="; nocase; http_uri; content:"addt="; nocase; http_uri; content:"pc|5F|id="; nocase; http_uri; content:"abbr="; nocase; http_uri; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; classtype:trojan-activity; sid:2008456; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Pacimedia Spyware 1"; flow:to_server,established; content:"/mcp/mcp.cgi"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; classtype:trojan-activity; sid:2002083; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?kind="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&addresses="; nocase; http_uri; content:"&hdmacid="; nocase; reference:url,doc.emergingthreats.net/2009712; classtype:trojan-activity; sid:2009712; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/privacyprotectorfreesetup.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; classtype:trojan-activity; sid:2003547; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; content:"?proto="; nocase; http_uri; content:"&rc="; nocase; http_uri;content:"&v="; nocase; http_uri; content:"&abbr="; nocase; http_uri; content:"&platform="; nocase; http_uri; content:"&os_version="; nocase; http_uri;content:"&ac="; nocase; http_uri; content:"&appid="; nocase; http_uri; content:"&em="; nocase; http_uri; content:"&pcid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; classtype:trojan-activity; sid:2007664; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> any any (msg:"ET MALWARE Pynix.dll BHO Activity"; flow: established,to_server; content:"ABETTERINTERNET.EXE"; nocase; http_uri; content:"bho=PYNIX.DLL"; nocase; http_uri; reference:url,www.pynix.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; classtype:trojan-activity; sid:2001748; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rdxrp.com Traffic"; flow: to_server,established; content:"/rdxr020304.dat"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; classtype:trojan-activity; sid:2001311; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Regnow.com Access"; flow: to_server,established; content:"/softsell/visitor.cgi?"; nocase; http_uri; content:"affiliate="; nocase; http_uri; reference:url,www.regnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; classtype:trojan-activity; sid:2001223; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Regnow.com Gamehouse.com Access"; flow: to_server,established; content:"/affiliates/template.jsp?"; nocase; http_uri; content:"AID="; nocase; http_uri; reference:url,www.gamehouse.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; classtype:trojan-activity; sid:2001224; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Salongas Infection"; flow: to_server,established; content:"/sp.htm?id="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; classtype:trojan-activity; sid:2000601; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Search Relevancy Spyware"; flow: established,to_server; content:"/SearchRelevancy/SearchRelevancy.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; classtype:trojan-activity; sid:2001696; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchfeed.com Spyware 1"; flow: to_server,established; content:"/rd/Clk.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; classtype:trojan-activity; sid:2002296; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchfeed.com Spyware 2"; flow: to_server,established; content:"/rd/feed/TextFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; classtype:trojan-activity; sid:2002297; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchfeed.com Spyware 3"; flow: to_server,established; content:"/rd/feed/XMLFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; classtype:trojan-activity; sid:2002298; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchfeed.com Spyware 4"; flow: to_server,established; content:"/rd/feed/JavaScriptFeed.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; classtype:trojan-activity; sid:2002299; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchfeed.com Spyware 5"; flow: to_server,established; content:"/rd/feed/JavaScriptFeedSE.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; classtype:trojan-activity; sid:2002300; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchfeed.com Spyware 6"; flow: to_server,established; content:"/rd/SearchResults.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; classtype:trojan-activity; sid:2002301; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchfeed.com Spyware 7"; flow: to_server,established; content:"/rd/jsp/BidRank/index.jsp"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; classtype:trojan-activity; sid:2002302; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchfeed.com Spyware 8"; flow: to_server,established; content:"/SFToolBar.html"; http_uri; reference:url,www.searchfeed.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; classtype:trojan-activity; sid:2002303; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmeup Spyware Install (prog)"; flow: to_server,established; content:"/dkprogs/dktibs.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; classtype:trojan-activity; sid:2001474; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmeup Spyware Install (systime)"; flow: to_server,established; content:"/dkprogs/systime.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; classtype:trojan-activity; sid:2001480; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmeup Spyware Install (mstask)"; flow: to_server,established; content:"/dkprogs/mstasks3.txt"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; classtype:trojan-activity; sid:2001483; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmeup Spyware Install (d.exe)"; flow: to_server,established; content:"/x30/d.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; classtype:trojan-activity; sid:2001484; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmeup Spyware Receiving Commands"; flow: to_server,established; content:"/xpsystem/commands.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; classtype:trojan-activity; sid:2001475; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; content:"/cab/v3cab.cab"; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; classtype:trojan-activity; sid:2001540; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; classtype:trojan-activity; sid:2001533; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; content:"/silent_install.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; classtype:trojan-activity; sid:2001534; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; content:"/protector.exe"; http_uri; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; classtype:trojan-activity; sid:2001535; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Install (install)"; flow: to_server,established; content:"/sideb.exe"; content:"Host|3a| install.searchmiracle.com"; nocase; http_header; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; classtype:trojan-activity; sid:2001744; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; content:"/silent.exe"; nocase; http_uri; reference:url,www.searchmiracle.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; classtype:trojan-activity; sid:2002091; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host|3a| content.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; classtype:policy-violation; sid:2001650; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host|3a| results.searchscout.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; classtype:policy-violation; sid:2001653; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Security-updater.com Spyware Posting Data"; flow:established,to_server; content:"/SA/receive_data.php3?tcpc="; http_uri; content:"security-updater.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; classtype:trojan-activity; sid:2003576; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to_server; content:".aspx?"; http_uri; content:"eid="; http_uri; content:"&pkg_ver="; http_uri; content:"&ver="; http_uri; content:"&brand="; http_uri; content:"&mt="; http_uri; content:"&partid="; content:"&altdid="; http_uri; content:"&os="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; classtype:trojan-activity; sid:2008356; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; content:".php?kind="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&ver2="; nocase; http_uri; content:"&ver3="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&supportid="; nocase; http_uri; content:"&uniq="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; classtype:trojan-activity; sid:2008016; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sexmaniack Install Tracking"; flow: to_server,established; content:"/counted.php?ref="; nocase; http_uri; content:"Host|3a| counter.sexmaniack.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; classtype:trojan-activity; sid:2001460; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shop At Home Select.com Install Attempt"; flow: to_server,established; content:"/mindset/bunsetup.cab"; nocase; http_uri; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; classtype:policy-violation; sid:2000580; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; classtype:policy-violation; sid:2000581; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shop at Home Select Spyware Heartbeat"; flow: established,to_server; content:"/s.dll?MfcISAPICommand=heartbeat¶m="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; classtype:policy-violation; sid:2001708; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shop at Home Select Spyware Install"; flow: established,to_server; content:"/arcadecash/setup"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; classtype:policy-violation; sid:2002037; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shopnav Spyware Install"; flow: to_server,established; content:"/toolbarv3.cgi?UID="; nocase; http_uri; content:"&version="; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; classtype:trojan-activity; sid:2002000; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shopcenter.co.kr Spyware Install Report"; flow:established,to_server; content:"/RewardInstall.php?mac=0"; http_uri; content:"&hdd="; http_uri;content:"&ver="; http_uri; content:"&ie="; http_uri; content:"&win="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; classtype:trojan-activity; sid:2008370; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideStep Bar Install"; flow: to_server,established; content:"/servlet/sbinstservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; classtype:policy-violation; sid:2001016; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideStep Bar Reporting Data"; flow: to_server,established; content:"/servlet/sblogservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; classtype:policy-violation; sid:2001017; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; content:"/servlet/SbStartservlet"; nocase; http_uri; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; classtype:policy-violation; sid:2002821; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smartpops.com Spyware Install rh.exe"; flow: to_server,established; content:"/install/RH/rh.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; classtype:trojan-activity; sid:2001505; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smartpops.com Spyware Install"; flow: to_server,established; content:"/install/SE/sed.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; classtype:trojan-activity; sid:2001516; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Smartpops.com Spyware Update"; flow: to_server,established; content:"/data/spv15.dat?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; classtype:trojan-activity; sid:2001513; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install"; flow:established,to_server; content:"/setup/setup.asp?id="; nocase; http_uri; content:"&pcid="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&taday="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; classtype:trojan-activity; sid:2008135; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; content:"/setup/adClick.asp?Id="; nocase; http_uri; content:"&WebId="; nocase; http_uri; content:"&sDate="; nocase; http_uri; content:"&ver="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; classtype:trojan-activity; sid:2008148; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Softcashier.com Spyware Install Checkin"; flow:established,to_server; content:".php?wmid="; nocase; http_uri; content:"&subid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&hs="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; classtype:trojan-activity; sid:2007861; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Softwarereferral.com Adware Checkin"; flow:established,to_server; content:"wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; classtype:trojan-activity; sid:2007696; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Spambot Pulling IP List to Spam"; flow:established,to_server; content:"/devrandom/access.php"; nocase; http_uri; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 (compatible)"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; classtype:trojan-activity; sid:2002990; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Spambot getting new exe"; flow:established,to_server; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; classtype:trojan-activity; sid:2002991; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Specificclick.net Spyware Activity"; flow: to_server,established; content:"/adopt.sm?"; nocase; http_uri; content:"l="; nocase; http_uri; content:"&sz="; nocase; http_uri; content:"&redir="; nocase; http_uri; content:"&nmv="; nocase; http_uri; content:"&nrsz="; nocase; http_uri; content:"&r="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; classtype:policy-violation; sid:2003450; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Speedera Agent (Specific)"; flow: to_server,established; content:"/io/downloads/3/wsem302.dl"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; classtype:trojan-activity; sid:2001321; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Not.com Spyware Updating"; flow:to_server,established; content:"/updates1/SKVersion.ini"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; classtype:trojan-activity; sid:2003377; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; content:"/updates1/SKSignatures.zip"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; classtype:trojan-activity; sid:2003375; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpySherriff Spyware Activity"; flow: to_server,established; content:"/progs_exe/jbsrak/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; classtype:trojan-activity; sid:2002984; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Jupitersatellites.biz Spyware Download"; flow: to_server,established; content:"/traff/ppiigg.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; classtype:trojan-activity; sid:2002987; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpySheriff Intial Phone Home"; flow:established,to_server; content:"trial.php?rest="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"trial.php"; nocase; content:!"User-Agent|3a| "; http_header; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; classtype:trojan-activity; sid:2003251; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; content:"&advid="; nocase; http_uri; content:"&u="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"?=______"; http_uri; content:"&vs="; nocase; http_uri; content:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; classtype:trojan-activity; sid:2007593; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyaxe Spyware DB Update"; flow: to_server,established; content:"/updates/database/dbver.php"; nocase; http_uri; content:"spywareaxe"; nocase; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; classtype:trojan-activity; sid:2002804; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyaxe Spyware DB Version Check"; flow: to_server,established; content:"/updates/database/dbver.dat"; nocase; http_uri; content:"spywareaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; classtype:trojan-activity; sid:2002805; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyaxe Spyware Checkin"; flow: to_server,established; content:"/download.php?sid="; nocase; http_uri; content:"spyaxe"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; classtype:trojan-activity; sid:2002806; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyspotter.com Install"; flow: to_server,established; content:"/SpySpotterInstall.cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; classtype:trojan-activity; sid:2001536; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyspotter.com Access"; flow: to_server,established; content:"Host|3a| "; http_header; content:"spyspotter.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; classtype:trojan-activity; sid:2001537; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; classtype:trojan-activity; sid:2000587; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpywareLabs Application Install"; flow: to_server,established; content:"/DistID/BaseInstalls/V"; nocase; http_uri; content:"User-Agent|3a|"; nocase; http_header; content:"Wise"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; classtype:trojan-activity; sid:2001522; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware Stormer Reporting Data"; flow: established,to_server; content:"/showme.aspx?keyword="; nocase; http_uri; content:"ecomdata1="; nocase; http_client_body; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; classtype:trojan-activity; sid:2001570; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware Stormer/Error Guard Activity"; flow: established,to_server; content:"/sell.cgi?errorguard/1/errorguard"; nocase; http_uri; reference:url,www.spywarestormer.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; classtype:trojan-activity; sid:2001571; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Statblaster.MemoryWatcher Download"; flow: to_server,established; content:"/memorywatcher.exe"; http_uri; reference:url,www.memorywatcher.com/eula.aspx; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; classtype:trojan-activity; sid:2001442; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfSidekick Activity"; flow: established,to_server; content:"/Bundling/SskUpdater"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; classtype:trojan-activity; sid:2001731; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfSidekick Download"; flow: established,to_server; content:"/requestimpression.aspx?ver="; nocase; http_uri; content:"host="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; classtype:trojan-activity; sid:2001992; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfSidekick Activity (ipixel)"; flow: established,to_server; content:"/ipixel.htm?cid="; nocase; http_uri; content:"&pck_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; classtype:trojan-activity; sid:2001994; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfSidekick Activity (rinfo)"; flow: established,to_server; content:"/rinfo.htm?"; nocase; http_uri; content:"host="; nocase; http_uri; content:"action="; nocase; http_uri; content:"client=SSK"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; classtype:trojan-activity; sid:2002738; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfAccuracy.com Spyware Updating"; flow:to_server,established; content:"/sacc/sacc.cfg.php?"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; classtype:trojan-activity; sid:2003390; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; content:"/sacc/popup.php"; nocase; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; classtype:trojan-activity; sid:2003391; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfAssistant.com Spyware Install"; flow: to_server,established; content:"/distribution/questmod-1.dll"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; classtype:trojan-activity; sid:2001510; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SurfAssistant.com Spyware Reporting"; flow: to_server,established; content:"/sa/?a="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; classtype:trojan-activity; sid:2001514; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE System-defender.com Fake AV Install Checkin"; flow:established,to_server; content:"?wmid="; nocase; http_uri; content:"&mid="; nocase; http_uri; content:"&lndid="; nocase; http_uri; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; classtype:trojan-activity; sid:2007856; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; content:"/victim.php?"; http_uri; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; classtype:trojan-activity; sid:2007945; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sytes.net Related Spyware Reporting"; flow:to_server,established; content:"/Reporting/admin/upload.php"; nocase; http_uri; content:"POST"; nocase; http_method; content:"sytes.net"; nocase; http_header; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; classtype:trojan-activity; sid:2003533; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; content:"/request/req.cgi?gu="; nocase; http_uri; content:"&sid="; nocase; http_uri; content:"&kw="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; classtype:trojan-activity; sid:2001997; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; content:"/data/tn.dat?v="; nocase; http_uri; content:"&sid="; nocase; http_uri; reference:url,www.targetnetworks.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; classtype:trojan-activity; sid:2002046; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; content:"/pa/glx.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; classtype:trojan-activity; sid:2001482; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; content:"/pa/proxyrnd.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; classtype:trojan-activity; sid:2001485; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Theinstalls.com Initial Checkin"; flow:established,to_server; content:"/plist.php?uid="; http_uri; content:"Host|3a| "; http_header; content:"theinstalls.com"; http_header; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; classtype:trojan-activity; sid:2007788; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibsystems Spyware Download"; flow: to_server,established; content:"/d4.fcgi?v="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; classtype:trojan-activity; sid:2001488; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibsystems Spyware Install (1)"; flow: to_server,established; content:"/fcgi-bin/iza2.fcgi?m="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; classtype:trojan-activity; sid:2001729; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tibsystems Spyware Install (2)"; flow: to_server,established; content:"/tb/loader2.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; classtype:trojan-activity; sid:2001734; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; content:"/ldr.exe"; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; classtype:trojan-activity; sid:2001890; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,toolbarpartner.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; classtype:trojan-activity; sid:2001895; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; classtype:trojan-activity; sid:2000588; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TopMoxie Retrieving Data (downloads)"; flow: to_server,established; content:"/external/builds/downloads2/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; classtype:trojan-activity; sid:2000589; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TopMoxie Retrieving Data (common)"; flow: to_server,established; content:"/external/builds/common/"; http_uri; nocase; reference:url,www.topmoxie.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; classtype:trojan-activity; sid:2000590; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Toprebates.com Install (1)"; flow: established,to_server; content:"/mailz.php?id="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; classtype:trojan-activity; sid:2001646; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Toprebates.com Install (2)"; flow: established,to_server; content:"/builds/"; nocase; http_uri; content:"AutoTrack_Install.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; classtype:trojan-activity; sid:2001647; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Toprebates.com User Confirming Membership"; flow: established,to_server; content:"/cgi/account.plx?pid="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; classtype:trojan-activity; sid:2001648; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; classtype:trojan-activity; sid:2001335; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; content:"/spywareremovers.php?"; http_uri; content:"Host|3a| topantispyware.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; classtype:trojan-activity; sid:2001520; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Topconverting Spyware Install"; flow: to_server,established; content:"/activex/weirdontheweb_topc.exe"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; classtype:trojan-activity; sid:2002004; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Topconverting Spyware Reporting"; flow: to_server,established; content:"/trigger.php?partner="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; classtype:trojan-activity; sid:2002040; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Traffic Syndicate Add/Remove"; flow: to_server,established; content:"/Support/AddRemove.aspx?id="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; classtype:policy-violation; sid:2001313; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Traffic Syndicate Agent Updating (1)"; flow: to_server,established; content:"/TbLinkConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; classtype:policy-violation; sid:2001315; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Traffic Syndicate Agent Updating (2)"; flow: to_server,established; content:"/TbInstConfig.asmx"; nocase; http_uri; threshold: type limit, track by_src, count 1, seconds 360; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; classtype:policy-violation; sid:2001316; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trafficsector.com Spyware Install"; flow: to_server,established; content:"/install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; http_uri; content:"trafficsector"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; classtype:policy-violation; sid:2002736; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Transponder Spyware Activity"; flow:established,to_server; content:"/sendROIcookie.cfm?refer="; nocase; http_uri; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; classtype:trojan-activity; sid:2002320; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Travel Update Spyware"; flow:established,to_server; content:"/abt?data="; nocase; http_uri; pcre:"/\/abt\?data=\S{150}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; classtype:trojan-activity; sid:2003297; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".exe?nva="; http_uri; content:"&aff="; http_uri; content:"&token="; http_uri; content:"User-Agent|3a| Macrovision_DM"; nocase; http_header; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; classtype:policy-violation; sid:2009091; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UCMore Spyware Reporting"; flow: to_server,established; content:"/iis2ucms.asp"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; classtype:trojan-activity; sid:2001995; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; content:"/jk/exp.wmf"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; classtype:trojan-activity; sid:2002999; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PopupSh.ocx Access Attempt"; flow:to_server,established; content:"/PopupSh.ocx"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; classtype:trojan-activity; sid:2003000; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:trojan-activity; sid:2008158; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE V-Clean.com Fake AV Checkin"; flow:established,to_server; content:"/bill_mod/bill_count.php?C_FLAG="; fast_pattern; http_uri; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.5|3b| Windows 98)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; classtype:trojan-activity; sid:2008180; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; content:"/DittoIA.jsh?pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; classtype:trojan-activity; sid:2002348; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; content:"/js.vppimage?key="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; classtype:trojan-activity; sid:2002350; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; content:"/mmdom.exe"; nocase; http_uri; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; classtype:trojan-activity; sid:2001525; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; content:"/bkinst.exe"; nocase; http_uri; content:"virtumonde.com"; http_header; reference:url,www.lurhq.com/iframeads.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; classtype:trojan-activity; sid:2001526; rev:23; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/scripts/get_cookie.php"; nocase; http_uri; content:"vomba="; http_client_body; depth:6; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; classtype:trojan-activity; sid:2007870; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Webbuying.net Spyware Installing"; flow:established,to_server; content:"/inst.php?"; nocase; http_uri; content:"d="; nocase; http_uri; content:"&cl="; nocase; http_uri; content:"&l="; nocase; http_uri; content:"&e="; nocase; http_uri; content:"&v=wbi_v"; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&time="; nocase; http_uri; content:"&win="; nocase; http_uri; content:"&un=0"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; classtype:trojan-activity; sid:2003442; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; classtype:trojan-activity; sid:2001317; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Webhancer Data Post"; flow: to_server,established; content:"POST"; nocase; http_method; content:"http|3a|//prime.webhancer.com"; nocase; content:"AgentTag|3a|"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; classtype:trojan-activity; sid:2001677; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Webhancer Agent Activity"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; within:32; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; classtype:trojan-activity; sid:2001678; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Websearch.com Spyware"; flow: to_server,established; content:"/sitereview.asmx/GetReview"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; classtype:trojan-activity; sid:2001325; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; content:"/1/rdgUS10.exe"; nocase; http_uri; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; classtype:trojan-activity; sid:2001517; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; content:"/notifier/config.ini?v="; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; classtype:trojan-activity; sid:2002036; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; content:"/SearchDB?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; classtype:policy-violation; sid:2000919; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wild Tangent Agent Installation"; flow: to_server,established; content:"/Recovery/Checkin.aspx?version"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; classtype:trojan-activity; sid:2001307; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wild Tangent Agent Checking In"; flow: to_server,established; content:"/CDADeliveries/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; classtype:trojan-activity; sid:2001309; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wild Tangent Agent Traffic"; flow: to_server,established; content:"/CDAFiles/DP/SysConfig"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; classtype:trojan-activity; sid:2001310; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wild Tangent Agent"; flow: to_server,established; content:"/CDAFiles/"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; classtype:trojan-activity; sid:2001314; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wild Tangent New Install"; flow: to_server,established; content:"/NewUser/Checkin.aspx"; nocase; http_uri; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; classtype:trojan-activity; sid:2001322; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Wild Tangent Install"; flow: to_server,established; content:"/updatestats/AI_Euro.exe"; nocase; http_uri; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; classtype:trojan-activity; sid:2002008; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windupdates.com Spyware Install"; flow: established,to_server; content:"/cab/CDTInc/ie/"; nocase; http_uri; content:".cab"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; classtype:trojan-activity; sid:2001700; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Windupdates.com Spyware Loggin Data"; flow: established,to_server; content:"/logging.php?p="; nocase; http_uri; content:"Host|3a| public.windupdates.com"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; classtype:trojan-activity; sid:2001701; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; content:"/dispatcher.php?action="; nocase; http_uri; content:"Host|3a| www.winfix"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; classtype:trojan-activity; sid:2003543; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winferno Registry Fix Spyware Download"; flow: to_server,established; content:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; classtype:trojan-activity; sid:2003353; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Freeze.com Spyware Download"; flow: to_server,established; content:"/WebServices/DesktopManager/"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; classtype:trojan-activity; sid:2003356; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/checkupdate.php"; nocase; http_uri; content:"User-Agent|3a| Opera"; http_header; content:"Computer ID|3a| "; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; classtype:trojan-activity; sid:2008197; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; content:"/fa/evil.html"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; classtype:trojan-activity; sid:2001461; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; content:"/fa/?d=get"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; classtype:trojan-activity; sid:2001462; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http|3a|//xpire.info/i.exe"; nocase; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; classtype:trojan-activity; sid:2001463; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; content:"/i.exe"; nocase; http_uri; content:"xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; classtype:trojan-activity; sid:2001464; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; content:"/dl/adv121.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; classtype:trojan-activity; sid:2001466; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; content:"/dl/adv121/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; classtype:trojan-activity; sid:2001467; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; content:"/fa/ied_s7m.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; classtype:trojan-activity; sid:2001468; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; content:"/fa/x.chm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; classtype:trojan-activity; sid:2001469; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; content:"/fa/xpl3.htm"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; classtype:trojan-activity; sid:2001470; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Spyware Exploit"; flow: to_server,established; content:"/2DimensionOfExploitsEnc.php"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; classtype:trojan-activity; sid:2001471; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; classtype:trojan-activity; sid:2001541; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yourscreen.com Spyware Download"; flow: to_server,established; content:"/data/yourscreen_data.exe"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; classtype:trojan-activity; sid:2003354; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; content:"/protector.exe"; nocase; http_uri; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; classtype:trojan-activity; sid:2002092; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; content:"/sideb.exe"; nocase; http_uri; reference:url,www.yupsearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; classtype:trojan-activity; sid:2002098; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zenotecnico Adware"; flow: to_server,established; content:"/cl/clientdump"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; classtype:policy-violation; sid:2001947; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zenotecnico Adware 2"; flow: to_server,established; content:"/cl/clienthost"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; classtype:policy-violation; sid:2002735; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; content:"/instreport"; http_uri; content:"zenotecnico"; nocase; http_header; reference:url,www.zenotecnico.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; classtype:policy-violation; sid:2002737; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".asp?rnd="; http_uri; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&umode="; http_client_body; content:"&cn="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; classtype:trojan-activity; sid:2008798; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Supergames.aavalue.com Spyware"; flow: established,to_server; content:"/toolbars/msg/msg_serverside.xml"; nocase; http_uri; content:"aavalue.com"; nocase; http_header; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; classtype:trojan-activity; sid:2003525; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE adservs.com Spyware"; flow: to_server,established; content:"/binaries/relevance.dat"; http_uri; content:"adservs"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; classtype:policy-violation; sid:2002740; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iframebiz - sploit.anr"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/sploit.anr"; nocase; http_uri; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; classtype:trojan-activity; sid:2002708; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loaderadv"; nocase; http_uri; pcre:"/loaderadv\d+\.jar/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; classtype:trojan-activity; sid:2002709; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/loadadv"; nocase; http_uri; pcre:"/loadadv\d+\.exe/Ui"; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; classtype:trojan-activity; sid:2002710; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; content:"/qwertyuiyw12ertyuytre"; nocase; http_uri; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; classtype:trojan-activity; sid:2008681; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE K8l.info Spyware Activity"; flow: to_server,established; content:"/media/servlet/view/dynamic/url/zone?"; nocase; http_uri; content:"zid="; nocase; http_uri; content:"&pid="; nocase; http_uri; content:"&DHWidth="; nocase; http_uri; content:"&DHHeight="; nocase; http_uri; content:"Ref="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; classtype:policy-violation; sid:2003451; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EZULA Spyware User Agent"; flow: established,to_server; content:"User-Agent|3a| ezula"; http_header; nocase; reference:url,doc.emergingthreats.net/2001854; classtype:trojan-activity; sid:2001854; rev:24; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Easy Search Bar Spyware User-Agent (ESB)"; flow: established,to_server; content:"User-Agent|3a| ESB"; http_header; reference:url,doc.emergingthreats.net/2001853; classtype:trojan-activity; sid:2001853; rev:26; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (webcount)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| webcount"; http_header; reference:url,doc.emergingthreats.net/2011149; classtype:trojan-activity; sid:2011149; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Suggestion)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| Suggestion|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/2011229; classtype:trojan-activity; sid:2011229; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (XieHongWei-HttpDown/2.0)"; flow:to_server,established; content:"GET"; nocase; http_method; content:"User-Agent|3a| XieHongWei"; http_header; reference:url,doc.emergingthreats.net/2011248; classtype:trojan-activity; sid:2011248; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL.Amiricil.gen HTTP Checkin"; flow:established,to_server; content:"/registerSession.py?"; http_uri; nocase; content:"proj="; http_uri; nocase; content:"&country="; http_uri; nocase; content:"&lang="; http_uri; nocase; content:"&channel="; http_uri; nocase; content:"source="; http_uri; nocase; content:"User-Agent|3a| NSIS_Inetc (Mozilla)"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=af0bbdf6097233e8688c5429aa97bbed; reference:url,doc.emergingthreats.net/2011677; classtype:trojan-activity; sid:2011677; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTML.Psyme.Gen Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/channelCode.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=de1adb1df396863e7e3967271e7db734; classtype:trojan-activity; sid:2011856; rev:3; metadata:created_at 2010_10_26, updated_at 2010_10_26;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0"; flow:established,to_server; content:"|20|HTTP/1.0|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; classtype:trojan-activity; sid:2011938; rev:5; metadata:created_at 2010_11_19, updated_at 2010_11_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1"; flow:established,to_server; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; http_header; content:"Host|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:".php?"; nocase; http_uri; content:!"Connection|3a| "; http_header; classtype:trojan-activity; sid:2011939; rev:7; metadata:created_at 2010_11_19, updated_at 2010_11_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ASKTOOLBAR.DLL Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/toolbarv/askBarCfg?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"e="; http_uri; nocase; reference:url,threatexpert.com/report.aspx?md5=3f6413475b1466964498c8450de4062f; classtype:trojan-activity; sid:2012000; rev:3; metadata:created_at 2010_12_07, updated_at 2010_12_07;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; fast_pattern:only; classtype:misc-activity; sid:2012228; rev:5; metadata:created_at 2011_01_25, updated_at 2011_01_25;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; fast_pattern:only; classtype:misc-activity; sid:2012229; rev:7; metadata:created_at 2011_01_25, updated_at 2011_01_25;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible FakeAV Binary Download"; flow:established,to_client; content:"filename=|22|"; http_header; nocase; content:"antiv"; fast_pattern; nocase; http_header; within:50; pcre:"/filename\x3D\x22[^\r\n]*antiv[^\n]+\.exe/Hi"; classtype:trojan-activity; sid:2012753; rev:6; metadata:created_at 2011_04_29, updated_at 2011_04_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tool.InstallToolbar.24 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; http_uri; content:"TbId="; nocase; http_uri; content:"TUID="; nocase; http_uri; content:"Action_Type="; nocase; http_uri; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:trojan-activity; sid:2014060; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32-Adware.Hotclip.A Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/filetadak/app_check.php?"; nocase; http_uri; content:"kind="; nocase; http_uri; content:"pid=donkeys"; nocase; http_uri; reference:url,spydig.com/spyware-info/Win32-Adware-Hotclip-A.html; classtype:trojan-activity; sid:2014069; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Gen5 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cmd/report.php?"; nocase; http_uri; content:"PartnerId="; nocase; http_uri; content:"OfferId="; nocase; http_uri; content:"action="; nocase; http_uri; content:"program="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=90410d783f6321c8684ccb9ff0613a51; classtype:trojan-activity; sid:2014071; rev:4; metadata:created_at 2012_01_02, updated_at 2012_01_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious ad_track.php file Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad_track.php"; nocase; http_uri; content:"etekey="; nocase; http_uri; content:"track.ete.cn"; nocase; http_header; classtype:trojan-activity; sid:2014183; rev:4; metadata:created_at 2012_02_06, updated_at 2012_02_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameplayLabs.Adware Installer Checkin"; flow:established,to_server; content:"/install.xml?pid="; http_uri; content:"gameplaylabs.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014249; rev:4; metadata:created_at 2012_02_20, updated_at 2012_02_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/LoudMo.Adware Checkin"; flow:established,to_server; content:"/?aff="; http_uri; content:"Host|3A 20|www.gamebound.com"; http_header; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FLoudmo; reference:md5,fc06c613e83f0d3271beba4fdcda987f; classtype:trojan-activity; sid:2014400; rev:3; metadata:created_at 2012_03_19, updated_at 2012_03_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:trojan-activity; sid:2014403; rev:2; metadata:created_at 2012_03_19, updated_at 2012_03_19;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan User-Agent (Windows Updates Manager)"; flow:to_server,established; content:"User-Agent|3a| Windows Updates Manager"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003585; classtype:trojan-activity; sid:2003585; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"IpAddr="; nocase; http_uri; content:"&OS="; nocase; http_uri; content:"&RegistryChanged="; nocase; http_uri; content:"&RegistryUpdate="; nocase; http_uri; content:"&NewInstallation="; nocase; http_uri; content:"&utilMissing="; nocase; http_uri; content:"&Basedir="; nocase; http_uri; content:"&BundleID="; nocase; http_uri; content:"&InitInstalled="; nocase; http_uri; content:"&Interval="; nocase; http_uri; content:"&LastInitRun="; nocase; http_uri; content:"&LastInitVer="; nocase; http_uri; content:"&LastSrngRun="; nocase; http_uri; content:"&LastUtilRun="; nocase; http_uri; content:"&SrngInstalled="; nocase; http_uri; content:"&SrngVer="; nocase; http_uri; content:"&UtilInstalled="; nocase; http_uri; content:"&UtilVer="; nocase; http_uri; content:"&PCID"; nocase; http_uri; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; classtype:trojan-activity; sid:2009807; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field)"; flow:established,to_server; content:"microsoft_predator_client"; nocase; http_header; reference:url,www.fourteenforty.jp/products/yarai/CVE2011-0609/; reference:url,www.kahusecurity.com/2011/apec-spearphish-2/; reference:md5,3d91d9df315ffeb9bb1c774452b3114b; classtype:bad-unknown; sid:2014584; rev:5; metadata:created_at 2012_04_16, updated_at 2012_04_16;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameVance User-Agent (aw v3)"; flow:established,to_server; content:"User-Agent|3A 20|aw v3"; http_header; classtype:trojan-activity; sid:2014606; rev:4; metadata:created_at 2012_04_17, updated_at 2012_04_17;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/GameVance Adware Server Reponse To Client Checkin"; flow:established,to_client; content:"|0d 0a 0d 0a|cfgint="; content:"cid="; within:30; content:"eus="; within:30; content:"esint="; within:30; content:"sc2dcnt="; within:30; content:"domfqcap="; within:30; content:"domtm="; within:30; content:"css="; within:30; classtype:trojan-activity; sid:2014605; rev:6; metadata:created_at 2012_04_17, updated_at 2012_04_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Dialer.Adultchat Checkin"; flow:established,to_server; content:"/getclientid.wnk?srv="; http_uri; content:"&ver="; http_uri; content:"&pin="; http_uri; content:"&OSInfo2="; http_uri; content:"&cinfo="; http_uri; content:"retryattempt="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813; reference:md5,fd2c949dc20b651a53326a3d571641ec; classtype:trojan-activity; sid:2014667; rev:2; metadata:created_at 2012_05_02, updated_at 2012_05_02;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:trojan-activity; sid:2014735; rev:3; metadata:created_at 2012_05_11, updated_at 2012_05_11;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:bad-unknown; sid:2014798; rev:2; metadata:created_at 2012_05_21, updated_at 2012_05_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; content:"User-Agent|3A| MM "; http_header; pcre:"/User-Agent\x3a MM \d\.\d+\x0d\x0a/H"; classtype:trojan-activity; sid:2013388; rev:4; metadata:created_at 2011_08_10, updated_at 2011_08_10;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:trojan-activity; sid:2001489; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:trojan-activity; sid:2001491; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/rdc/rnd.php"; http_uri; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:trojan-activity; sid:2014767; rev:5; metadata:created_at 2012_05_18, updated_at 2012_05_18;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:trojan-activity; sid:2014810; rev:4; metadata:created_at 2012_05_25, updated_at 2012_05_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdVantage Malware URL Infection Report"; flow:established,to_server; content:"cfg_ver="; http_uri; nocase; content:"hwd="; http_uri; nocase; content:"campaign="; http_uri; nocase; content:"ver="; http_uri; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012105; rev:3; metadata:created_at 2011_12_27, updated_at 2011_12_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:trojan-activity; sid:2003365; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; content:"POST"; http_method; nocase; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE web shell detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a 0d 0a|command="; fast_pattern; content:"&result="; within:12; classtype:trojan-activity; sid:2011391; rev:9; metadata:created_at 2010_09_28, updated_at 2010_09_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015018; rev:2; metadata:created_at 2012_07_03, updated_at 2012_07_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:trojan-activity; sid:2008840; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:trojan-activity; sid:2008839; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OnlineGames Checkin"; flow:established,to_server; content:"/game"; http_uri; content:"/diary/item/"; http_uri; content:"User-Agent|3A| getURLDown|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015017; rev:4; metadata:created_at 2012_07_03, updated_at 2012_07_03;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sogou Toolbar Checkin"; flow:to_server,established; content:"/seversion.txt"; http_uri; content:"User-Agent|3a| SeFastSetup"; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:trojan-activity; sid:2011226; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2006361; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SWInformer.B Checkin"; flow:to_server,established; content:"log.php?"; http_uri; content:"User-Agent|3a| FDMuiless|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014004; rev:4; metadata:created_at 2011_12_08, updated_at 2011_12_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; content:".php?pi="; fast_pattern:only; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 6.0)|0d 0a|"; http_header; classtype:trojan-activity; sid:2013540; rev:5; metadata:created_at 2011_09_06, updated_at 2011_09_06;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?z="; nocase; http_uri; content:"|26|ch="; nocase; fast_pattern; http_uri; content:"|26|dim="; nocase; http_uri; content:"|26|abr="; nocase; http_uri; content:!"Referer|3a| "; nocase; http_header; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; classtype:trojan-activity; sid:2008375; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:trojan-activity; sid:2002988; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"&advid="; fast_pattern; http_uri; content:"&u="; http_uri; content:"&p="; http_uri; content:"HTTP/1."; content:!"User-Agent|3a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; classtype:trojan-activity; sid:2007744; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; fast_pattern; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:trojan-activity; sid:2008149; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; http_uri; nocase; fast_pattern; content:"?ver="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:trojan-activity; sid:2003217; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:trojan-activity; sid:2008742; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http any any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:trojan-activity; sid:2001683; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; content:"/images/mysearchbar/highlight"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:trojan-activity; sid:2003351; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; content:"/images/mysearchbar/customize"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:trojan-activity; sid:2003352; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Toplist.cz Related Spyware Checkin"; flow:to_server,established; content:"User-Agent|3a| BWL"; http_header; pcre:"/BWL(\sToplist|\d_UPDATE)/H"; classtype:trojan-activity; sid:2003505; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:trojan-activity; sid:2013405; rev:3; metadata:created_at 2011_08_11, updated_at 2011_08_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; content:"BitcoinPlusMiner("; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:bad-unknown; sid:2014535; rev:3; metadata:created_at 2012_04_09, updated_at 2012_04_09;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:trojan-activity; sid:2008157; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"PCDoc"; http_user_agent; depth:5; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; classtype:trojan-activity; sid:2007786; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"mypcdoc"; http_user_agent; depth:7; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; classtype:trojan-activity; sid:2007804; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Simbar Spyware User-Agent Detected"; flow:established,to_server; content:"|3b| SIMBAR={"; http_user_agent; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; reference:url,vil.nai.com/vil/content/v_131206.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2009005; classtype:policy-violation; sid:2009005; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"gh20"; http_user_agent; depth:4; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; classtype:trojan-activity; sid:2007944; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; content:"RichCasino"; nocase; http_user_agent; depth:10; reference:url,doc.emergingthreats.net/2009831; classtype:trojan-activity; sid:2009831; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:trojan-activity; sid:2008757; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; content:"/sd?s="; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; classtype:trojan-activity; sid:2002196; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; content:"/sd?s="; nocase; http_uri; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; reference:url,doc.emergingthreats.net/2009880; classtype:trojan-activity; sid:2009880; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE debelizombi.com (Rizo) related Spyware User-Agent (mc_v1.2.6)"; flow:to_server,established; content:"mc_v1"; depth:5; http_user_agent; reference:url,www.f-secure.com/v-descs/rizo.shtml; reference:url,doc.emergingthreats.net/2003656; classtype:trojan-activity; sid:2003656; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; content:"SnoopStick "; http_user_agent; depth:11; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; classtype:trojan-activity; sid:2007956; rev:7; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Thespyguard.com Spyware Update Check"; flow:established,to_server; content:"/soft/update/check_update.php"; nocase; http_uri; content:"Host|3a| www.kliksoftware.com"; nocase; http_header; fast_pattern; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; classtype:trojan-activity; sid:2003202; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:trojan-activity; sid:2007602; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; content:"/LogProc.php?"; fast_pattern:only; http_uri; content:"mac="; http_uri; content:"mode="; http_uri; content:"&pCode="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:trojan-activity; sid:2013797; rev:4; metadata:created_at 2011_10_24, updated_at 2011_10_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE suspicious User-Agent (vb wininet)"; flow:established,to_server; content:"vb|20 20 20|wininet"; depth:12; http_user_agent; classtype:bad-unknown; sid:2016069; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2012_12_20, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Save)"; flow:to_server,established; content:"User-Agent|3a| Save|0d 0a|"; http_header; reference:url,poweredbysave.com; classtype:trojan-activity; sid:2011120; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/version/controllerVersion"; fast_pattern; nocase; http_uri; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; classtype:trojan-activity; sid:2007995; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Eorezo.Adware CnC Beacon"; flow:established,to_server; content:"/cgi-bin/advert/settags?x_mode="; fast_pattern:8,20; http_uri; content:"&x_format="; http_uri; content:"&x_pub_id="; http_uri; content:"&tag="; http_uri; content:"Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; http_user_agent; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-061213-2441-99; classtype:trojan-activity; sid:2016546; rev:3; metadata:created_at 2013_03_06, updated_at 2013_03_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IE Toolbar User-Agent (IEToolbar)"; flow:established,to_server; content:"IEToolbar"; http_user_agent; reference:url,doc.emergingthreats.net/2009766; classtype:trojan-activity; sid:2009766; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antivirgear.com Fake Anti-Spyware User-Agent (AntiVirGear)"; flow:established,to_server; content:"AntiVirGear"; http_user_agent; reference:url,doc.emergingthreats.net/2007697; classtype:trojan-activity; sid:2007697; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE vaccine-program.co.kr Related Spyware User-Agent (vaccine)"; flow:established,to_server; content:"vaccine"; http_user_agent; depth:7; reference:url,doc.emergingthreats.net/2008200; classtype:trojan-activity; sid:2008200; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Enhance My Search Spyware User-Agent (HelperH)"; flow: established,to_server; content:"HelperH"; http_user_agent; reference:url,doc.emergingthreats.net/2001746; classtype:trojan-activity; sid:2001746; rev:35; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Mozilla UA Outbound (Mozilla/0.xx)"; flow:established,to_server; content:"Mozilla/0."; http_user_agent; depth:10; reference:url,doc.emergingthreats.net/2010905; classtype:bad-unknown; sid:2010905; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Grandstreet Interactive Spyware User-Agent (IEP)"; flow: to_server,established; content:"IEP"; http_user_agent; depth:3; reference:url,doc.emergingthreats.net/2002021; classtype:trojan-activity; sid:2002021; rev:28; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (AgavaDwnl) - Possibly Xema"; flow:established,to_server; content:"AgavaDwnl"; http_user_agent; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009445; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZCOM Adware/Spyware User-Agent (ZCOM Software)"; flow:established,to_server; content:"ZCOM"; http_user_agent; depth:4; classtype:policy-violation; sid:2008503; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Win32/SProtector.A Client Checkin"; flow:established,to_server; content:"?data="; http_uri; content:"&version="; http_uri; distance:0; content:"win32"; http_user_agent; depth:5; fast_pattern; reference:md5,38f61d046e575971ed83c4f71accd132; classtype:trojan-activity; sid:2016780; rev:4; metadata:created_at 2013_04_22, updated_at 2013_04_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Shopathomeselect.com Spyware User-Agent (WebDownloader)"; flow: to_server,established; content:"WebDownloader"; http_user_agent; reference:url,doc.emergingthreats.net/2002038; classtype:trojan-activity; sid:2002038; rev:249; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ezday.co.kr Related Spyware User-Agent (Ezshop)"; flow:established,to_server; content:"Ezshop"; http_user_agent; reference:url,doc.emergingthreats.net/2008594; classtype:trojan-activity; sid:2008594; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lowercase mozilla/2.0 User-Agent Likely Malware"; flow:established,to_server; content:"mozilla/2.0"; http_user_agent; depth:11; reference:url,www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FCycbot.B; classtype:trojan-activity; sid:2012642; rev:7; metadata:created_at 2011_04_06, updated_at 2011_04_06;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware Command Client Checkin"; flow: to_server,established; content:"/client.php?str="; nocase; http_uri; content:"Indy Library)"; nocase; http_user_agent; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; classtype:policy-violation; sid:2003446; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Megaupload Spyware User-Agent (Megaupload)"; flow:to_server,established; content:"Megaupload"; depth:10; http_user_agent; reference:url,www.budsinc.com; reference:url,doc.emergingthreats.net/2003224; classtype:trojan-activity; sid:2003224; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (_TEST_)"; flow: to_server,established; content:"_TEST_"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2009545; classtype:trojan-activity; sid:2009545; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sality Virus User Agent Detected (KUKU)"; flow:established,to_server; content:"KUKU"; nocase; http_user_agent; depth:4; reference:url,doc.emergingthreats.net/2003636; classtype:trojan-activity; sid:2003636; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent Custom_56562_HttpClient/VER_STR_COMMA"; flow: established,to_server; content:"Custom_56562_HttpClient/VER_STR_COMMA"; depth:37; http_user_agent; nocase; classtype:trojan-activity; sid:2016916; rev:3; metadata:created_at 2013_05_22, updated_at 2013_05_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware pricepeep Adware.Shopper.297"; flow: established,to_server; content:"GET"; nocase; http_method; content:"/logger/software/hit/"; nocase; http_uri; content:"/?v."; nocase; http_uri; reference:url,virustotal.com/en/file/1ea487b1507305f17a2cd2ab0dbcfac523419dbc27cde38e27cb5c4a8d3c9caf/analysis/; reference:url,lists.clean-mx.com/pipermail/viruswatch/20121222/037085.html; reference:md5,0564e603f9ed646553933cb0d271f906; classtype:trojan-activity; sid:2016917; rev:2; metadata:created_at 2013_05_22, updated_at 2013_05_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Ezula Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/download/UVid.asp?"; fast_pattern:only; http_uri; reference:md5,dede600f1e78fd20e4515bea1f2bdf61; classtype:trojan-activity; sid:2016938; rev:3; metadata:created_at 2013_05_28, updated_at 2013_05_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Eorezo-B Adware Checkin"; flow:established,to_server; content:"x-company|3a| "; http_header; content:"EoAgence-"; http_user_agent; reference:md5,6631bb8d95906decc7e6f7c51f6469e6; classtype:trojan-activity; sid:2014120; rev:3; metadata:created_at 2012_01_12, updated_at 2012_01_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Tibs Checkin"; flow:established,to_server; content:"/adv/"; nocase; http_uri; content:".php?a1="; nocase; http_uri; content:"&a2=Type of Processor|3a|"; nocase; http_uri; content:"&a3=Windows version is "; nocase; http_uri; content:"&a4=Build|3a|"; nocase; http_uri; reference:md5,65448c8678f03253ef380c375d6670ce; classtype:trojan-activity; sid:2002955; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (go-diva)"; flow:to_server,established; content:"go-diva"; http_user_agent; reference:url,pcthreat.com/parasitebyid-8835en.html; classtype:trojan-activity; sid:2013452; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2011_08_23, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE clickspring.com Spyware Install User-Agent (CS Fingerprint Module)"; flow:to_server,established; content:"CS Fingerprint Module"; nocase; http_user_agent; reference:url,doc.emergingthreats.net/2003425; classtype:trojan-activity; sid:2003425; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent Mozilla/3.0"; flow:established,to_server; content:"Mozilla/3.0 (compatible|3b| Internet Explorer)"; http_user_agent; reference:url,doc.emergingthreats.net/2010599; classtype:trojan-activity; sid:2010599; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Visicom Spyware User-Agent (Visicom)"; flow: established,to_server; content:"Visicom"; http_user_agent; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001872; classtype:trojan-activity; sid:2001872; rev:29; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Errclean.com Related Spyware User-Agent (Locus NetInstaller)"; flow:to_server,established; content:"Locus "; http_user_agent; depth:6; reference:url,doc.emergingthreats.net/2007845; classtype:trojan-activity; sid:2007845; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Crossrider Spyware Checkin"; flow:established,to_server; content:"/updater/"; http_uri; depth:9; content:"/update.json?rnd="; http_uri; distance:32; within:18; content:!"User-Agent"; http_header; classtype:trojan-activity; sid:2017196; rev:4; metadata:created_at 2013_07_25, updated_at 2013_07_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products Spyware User-Agent (FunWebProducts)"; flow:established,to_server; content:"FunWebProducts"; http_user_agent; threshold: type limit, count 1, seconds 360, track by_src; reference:url,doc.emergingthreats.net/2001855; classtype:trojan-activity; sid:2001855; rev:28; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bestoffersnetwork.com Related Spyware User-Agent (TBONAS)"; flow:to_server,established; content:"TBONAS"; depth:6; nocase; http_user_agent; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BestOffersNetworks&threatid=43670; reference:url,doc.emergingthreats.net/2003501; classtype:trojan-activity; sid:2003501; rev:10; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spylocked Fake Anti-Spyware User-Agent (SpyLocked)"; flow:to_server,established; content:"SpyLocked"; nocase; http_user_agent; classtype:trojan-activity; sid:2005322; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mirar Bar Spyware User-Agent (Mbar)"; flow:to_server,established; content:"User-Agent|3a| Mbar|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003928; classtype:trojan-activity; sid:2003928; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Linkular.Adware Icons.dat Second Stage Download"; flow:established,to_server; content:"/downloads/icons.dat"; http_uri; fast_pattern:only; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017881; rev:3; metadata:created_at 2013_12_17, updated_at 2013_12_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE GMUnpackerInstaller.A Checkin"; flow:to_server,established; content:"/new/rar.xml"; fast_pattern:only; nocase; http_uri; content:!"User-Agent|3a| "; nocase; http_header; reference:md5,43e89125ad40b18d22e01f997da8929a; classtype:trojan-activity; sid:2017892; rev:2; metadata:created_at 2013_12_19, updated_at 2013_12_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallRex.Adware Initial CnC Beacon"; flow:established,to_server; content:"/?step_id="; http_uri; content:"&publisher_id="; http_uri; content:"&page_id="; http_uri; content:"&country_code="; http_uri; content:"&browser_id="; http_uri; content:"&download_id="; http_uri; content:"&hardware_id="; http_uri; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017911; rev:2; metadata:created_at 2014_12_30, updated_at 2014_12_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallRex.Adware Report CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?report_version="; http_uri; content:"data="; http_client_body; depth:5; reference:md5,9abbb5ea3f55b5182687db69af6cba66; classtype:trojan-activity; sid:2017912; rev:2; metadata:created_at 2014_12_30, updated_at 2014_12_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP)"; flow:established,to_server; content:"|3b 20|Antivir"; http_user_agent; threshold:type limit, count 1, seconds 60, track by_src; reference:url,www.wiki-security.com/wiki/Parasite/Antivirus2008; reference:url,doc.emergingthreats.net/2008549; classtype:trojan-activity; sid:2008549; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent 100 non-printable char"; flow:to_server,established; content:"User-Agent|3a 20|"; http_header; pcre:"/^([\x7f-\xff]){100}/HRi"; reference:md5,176638536e926019e3e79370777d5e03; classtype:trojan-activity; sid:2017982; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_01_17, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BettrExperience.Adware Initial Checkin"; flow:established,to_server; content:"/updater/"; http_uri; content:"UpdaterResponse"; http_user_agent; depth:15; content:!"Referer|3a 20|"; http_header; content:!"Accept|3a 20|"; http_header; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018024; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BettrExperience.Adware POST Checkin"; flow:established,to_server; content:"POST"; content:"UpdaterResponse"; http_user_agent; fast_pattern; depth:15; pcre:"/^\x2F[A-F0-9]{25,40}$/U"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018025; rev:3; metadata:created_at 2014_01_27, updated_at 2014_01_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent EXE2"; flow: established,to_server; content:"EXE2"; nocase; depth:4; http_user_agent; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018049; rev:3; metadata:created_at 2014_01_31, updated_at 2014_01_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Magania"; flow: established,to_server; flowbits:set,EXE2; flowbits:noalert; content:"GET"; http_method; content:".txt"; http_uri; content:"EXE2"; depth:4; fast_pattern; nocase; http_user_agent; content:!"Accept|3a| "; nocase; http_header; content:!"Referer|3a| "; nocase; http_header; content:!"Connection|3a| "; nocase; http_header; reference:md5,112c6db4fb8a9aa18d0cc105662af5a4; classtype:trojan-activity; sid:2018050; rev:4; metadata:created_at 2014_01_31, updated_at 2014_01_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent Mozi11a"; flow: established,to_server; content:"Mozi11a"; depth:7; http_user_agent; reference:md5,3cf3d4d5de51a8c37e11595159179571; classtype:trojan-activity; sid:2018051; rev:4; metadata:created_at 2014_01_31, updated_at 2014_01_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AdLoad.Downloader Download"; flow:established,to_server; content:"/v"; http_uri; content:"&product_name="; http_uri; content:"&installer_file_name="; http_uri; pcre:"/\x2Fv[0-9]{3,4}[\x2F\x3F]/U"; reference:url,malwaretips.com/blogs/trojandownloader-win32-adload-da-virus/; classtype:trojan-activity; sid:2018048; rev:3; metadata:created_at 2014_01_31, updated_at 2014_01_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (gettingAnswer)"; flow: established,to_server; content:"gettingAnswer"; depth:13; nocase; http_user_agent; reference:md5,c305a0af3fe84525a993130b7854e3e0; classtype:trojan-activity; sid:2018084; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2014_02_06, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Safekeeper.Adware CnC Beacon"; flow:established,to_server; content:"/app_version/solution/cfg/exn.php?pid="; http_uri; content:".dll|0D 0A|"; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*\x2Edll\x0D\x0A/H"; reference:md5,9a1c669203b5e9ebb68e2c2cfc964daa; classtype:trojan-activity; sid:2018099; rev:2; metadata:created_at 2014_02_10, updated_at 2014_02_10;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallMonetizer.Adware Beacon 2"; flow:established,to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&mode="; http_client_body; distance:0; content:"&subid="; http_client_body; distance:0; content:"&mid="; http_client_body; distance:0; classtype:trojan-activity; sid:2018149; rev:3; metadata:created_at 2014_02_17, updated_at 2014_02_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware-Win32/EoRezo Reporting"; flow:established,to_server; content:"/advert/get"; nocase; http_uri; pcre:"/\/advert\/get(?:ads|kws)(?:\.cgi)?\?(?:d|[ex]_dp_)id=/Ui"; reference:url,threatexpert.com/report.aspx?md5=b5708efc8b478274df4b03d8b7dbbb26; classtype:trojan-activity; sid:2013983; rev:6; metadata:created_at 2011_12_02, updated_at 2011_12_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BetterInstaller"; flow:to_server,established; content:"GET"; http_method; content:"?v="; http_uri; content:"&uid="; http_uri; content:"&muid="; http_uri; pcre:"/[a-f0-9]{32}\?v=/Ui"; reference:md5,efa0bed2695446eab679083a9f0f89c6; classtype:trojan-activity; sid:2018195; rev:3; metadata:created_at 2014_01_15, updated_at 2014_01_15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.AdWare.iBryte.C Install "; flow:established,to_server; content:"/offers.json?version="; http_uri; content:"&pid=installer&ts="; http_uri; reference:md5,2fae46d1a71a893834a01ed3106b8036; classtype:trojan-activity; sid:2018197; rev:2; metadata:created_at 2014_02_28, updated_at 2014_02_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Look2Me Activity"; flow:established,to_server; content:"&ID={"; http_uri; fast_pattern:only; content:"&rand="; http_uri; content:"User-Agent|3a|Mozilla/4.0 (compatible|3b|"; http_header; pcre:"/&ID=\x7b[0-9A-F]{8}(?:-[A-F0-9]{4}){3}-[A-F0-9]{12}\x7d/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; classtype:trojan-activity; sid:2008474; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gator/Clarian Agent"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; content:"gtrg2ze"; nocase; http_uri; reference:url,malware.wikia.com/wiki/Claria_Corporation; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; classtype:policy-violation; sid:2001306; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Xpire.info Spyware Install Reporting"; flow: to_server,established; content:"/report.php?user_id="; fast_pattern; http_uri; content:"&status="; http_uri; content:"&country_id="; http_uri; content:"Windows Internet"; depth:16; http_user_agent; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:md5,17c204bb156dd7f6a3ebd1547129f347; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FZdesnado.AD&ThreatID=-2147454482; classtype:trojan-activity; sid:2001472; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toolbar.CrossRider.A Checkin"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; http_uri; content:"&ver="; http_uri; content:"&bic="; fast_pattern:only; http_uri; content:"&app="; http_uri; content:"&appver="; http_uri; content:"&verifier="; http_uri; reference:md5,55668102739536c1b00bce9e02d8b587; classtype:trojan-activity; sid:2018301; rev:3; metadata:created_at 2012_10_05, updated_at 2012_10_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.MSIL.Solimba.b GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/dmr/access/"; http_uri; content:"DownloadMR"; nocase; depth:10; http_user_agent; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016905; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.MSIL.Solimba.b POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/dmr/exception"; http_uri; content:"DownloadMR"; depth:10; nocase; http_user_agent; reference:url,virustotal.com/en/file/93236b781e147e3ac983be1374a5f807fabd27ee2b92e6d99e293a6eb070ac2b/analysis/; reference:md5,0da0d8e664f44400c19898b4c9e71456; classtype:trojan-activity; sid:2016906; rev:4; metadata:created_at 2013_05_21, updated_at 2013_05_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent Smart-RTP"; flow: established,to_server; content:"Smart-RTP"; depth:9; nocase; http_user_agent; reference:url,www.threatexpert.com/report.aspx?md5=a80f33c94c44556caa2ef46cd5eb863c; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader8.25530.html; reference:md5,2b63ed542eb0e1a4547a2b6e91391dc0; classtype:trojan-activity; sid:2016915; rev:5; metadata:created_at 2013_05_22, updated_at 2013_05_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.Win32.Yotoon.hs Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/product-am.php?id="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&offer["; distance:0; http_uri; content:"NSISDL/1.2 (Mozilla)"; depth:20; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,20c7226185ed7999e330a46d3501dccb; classtype:trojan-activity; sid:2018307; rev:4; metadata:created_at 2014_03_19, updated_at 2014_03_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SoundCloud Downloader Install Beacon"; flow:established,to_server; urilen:10; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Slv="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&admin="; http_client_body; content:"&browser="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltUser="; http_client_body; content:"&ver="; http_client_body; content:"&ts="; http_client_body; reference:url,blog.malwarebytes.org/online-security/2014/03/soundcloud-downloader-always-read-the-eulas/; reference:md5,2e20e446943ecd01d3a668083d81d1fc; classtype:trojan-activity; sid:2018324; rev:2; metadata:created_at 2014_03_26, updated_at 2014_03_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Amonetize.Downloader Executable Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/bundle/"; http_uri; content:"/?p="; http_uri; content:"zz_afi"; depth:6; http_user_agent; reference:md5,23246f740cffc0bd9eb5be2e7703568a; classtype:trojan-activity; sid:2018333; rev:4; metadata:created_at 2014_03_28, updated_at 2014_03_28;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloadAdmin.Adware CnC Beacon"; flow:established,to_server; content:"/dl?gclid="; fast_pattern:only; http_uri; content:"&source="; http_uri; content:"&c="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:trojan-activity; sid:2018338; rev:3; metadata:created_at 2014_03_31, updated_at 2014_03_31;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloadAdmin.Adware Executable Download Request"; flow:established,to_server; content:"/download/"; http_uri; content:"/dl?s="; fast_pattern:only; http_uri; content:"&c="; http_uri; content:"&brand="; http_uri; content:"&pid="; http_uri; content:"&aid="; http_uri; content:"&bc="; http_uri; content:"&country="; http_uri; content:"&cb="; http_uri; reference:url,malwaretips.com/blogs/remove-pup-downloadadmin-virus-removal-guide/; classtype:trojan-activity; sid:2018339; rev:3; metadata:created_at 2014_03_31, updated_at 2014_03_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MySearch Products Spyware User-Agent (MySearch)"; flow:established,to_server; content:" MySearch"; http_user_agent; reference:url,doc.emergingthreats.net/2002080; classtype:trojan-activity; sid:2002080; rev:23; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.EZula Adware Reporting Successful Install"; flow:established,to_server; content:"/installer.cfc?res=success&hwid="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FEzula.F; classtype:trojan-activity; sid:2013195; rev:3; metadata:created_at 2011_07_05, updated_at 2011_07_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Wajam.Adware Successful Install"; flow:established,to_server; content:"/wajam_install.exe?aid="; http_uri; content:"User-Agent|3A 20|NSIS_Inetc"; http_header; classtype:trojan-activity; sid:2017561; rev:4; metadata:created_at 2013_10_04, updated_at 2013_10_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Linkular.Adware Successful Install Beacon"; flow:established,to_server; content:"/api/success/?s="; http_uri; fast_pattern:only; content:"&c="; http_uri; content:"&cv="; http_uri; content:"&context="; http_uri; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; reference:md5,7cc162a2ba136baaa38a9ccf46d97a06; classtype:trojan-activity; sid:2017880; rev:6; metadata:created_at 2013_12_17, updated_at 2013_12_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Linkular.Adware Successful Install Beacon (2)"; flow:established,to_server; content:"/api/software/?s="; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&output="; http_uri; content:"&v="; http_uri; content:"&l="; http_uri; content:"&np="; http_uri; content:"&osv="; http_uri; content:"&b="; http_uri; content:"&bv="; http_uri; content:"&c="; http_uri; content:"&cv="; http_uri; reference:url,webroot.com/blog/2014/03/25/deceptive-ads-expose-users-adware-linkularwin32-speedupmypc-puas-potentially-unwanted-applications/; classtype:trojan-activity; sid:2018323; rev:3; metadata:created_at 2014_03_26, updated_at 2014_03_26;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable purporting to be .txt file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".txt"; nocase; http_uri; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; classtype:trojan-activity; sid:2010500; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Executable purporting to be .cfg file with no Referer - Likely Malware"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"|0d 0a|Referer|3a| "; nocase; http_header; content:".cfg"; nocase; http_uri; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; classtype:trojan-activity; sid:2010501; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Errorsafe.com Fake antispyware User-Agent (ErrorSafe)"; flow:to_server,established; content:"ErrorSafe "; fast_pattern:only; http_user_agent; reference:url,doc.emergingthreats.net/2003346; classtype:trojan-activity; sid:2003346; rev:11; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antispywaremaster.com/Privacyprotector.com Fake AV Checkin"; flow:established,to_server; content:"?action="; http_uri; content:"&pc_id="; http_uri; content:"&abbr="; fast_pattern:only; http_uri; content:"&err="; http_uri; reference:url,doc.emergingthreats.net/2008282; classtype:trojan-activity; sid:2008282; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> 54.218.7.114 any (msg:"ET MALWARE DomainIQ Check-in"; flow:established,to_server; content:"User-Agent|3a 20|NSISDL/1.2|20 28|Mozilla|29 0d 0a|"; http_header; fast_pattern:14,20; reference:md5,00699af9bb10af100563adbb767bcee0; classtype:trojan-activity; sid:2018458; rev:3; metadata:created_at 2014_05_09, updated_at 2014_05_09;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; content:"update"; depth:6; http_user_agent; content:"statblaster"; http_header; fast_pattern:only; pcre:"/\/updatestats\/update\d+?\.xml$/U"; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:policy-violation; sid:2001225; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.PUQD Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/debug/Version/"; fast_pattern:only; http_uri; content:"/trace/"; http_uri; pcre:"/^\/debug\/Version\/\d_\d_\d_\d\d{1,2}?\/trace\/(?:mostrarFailed(?:EndLoading|ReadyState)|Get(?:XmlDataRequisites|BinaryData)|(?:DownloadRequisites|down_)Finish|Re(?:cievedXml|adyState)|PreDownloadRequisites|EndLoading|UserAdmin|Start)$/U"; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,e44962d7dec79c09a767a1d3e8ce02d8; reference:url,www.virustotal.com/en/file/1a1ff0fc6af6f7922bae906728e1919957998157f3a0cf1f1a0d3292f0eecd85/analysis/; classtype:trojan-activity; sid:2017945; rev:3; metadata:created_at 2014_01_08, updated_at 2014_01_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/RocketfuelNextUp.Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/evt/?nexcb="; fast_pattern:only; http_uri; content:!"User-Agent|3A|"; http_header; content:"a="; http_client_body; depth:2; content:"&b="; http_client_body; distance:0; pcre:"/^\x2Fevt\x2F\x3Fnexcb\x3D[a-f0-9\x2D]{10,}$/U"; reference:md5,408e8969cd0abd153eab6696f8add363; classtype:trojan-activity; sid:2018565; rev:3; metadata:created_at 2014_06_16, updated_at 2014_06_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SpamBlockerUtility Fake Anti-Spyware User-Agent (SpamBlockerUtility x.x.x)"; flow:to_server,established; content:"SpamBlockerUtility "; fast_pattern:only; http_user_agent; threshold: type limit, count 1, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2003384; classtype:trojan-activity; sid:2003384; rev:12; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.MultiInstaller checkin 2"; flow:established, to_server; content:"GET"; http_method; content:"/entrance?s1="; depth:13; http_uri; pcre:"/^\/entrance\?s1=[a-f0-9]{100,}$/Ui"; content:!"Referer|3a|"; http_header; reference:md5,c610d46d97c1b80f027f56d227a003f7; classtype:trojan-activity; sid:2018590; rev:2; metadata:created_at 2014_06_20, updated_at 2014_06_20;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alexa Spyware Reporting URL Visited"; flow:established,to_server; content:"/data/"; nocase; http_uri; content:"cli="; nocase; http_uri; content:"&ver=alxi"; nocase; http_uri; fast_pattern:only; content:"&url="; nocase; http_uri; content:"alexa.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; classtype:trojan-activity; sid:2003606; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; content:"/vsn/ISA/"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; classtype:policy-violation; sid:2000908; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; content:"/Appinstall?app=VVSN"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; classtype:policy-violation; sid:2000909; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=clock"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; classtype:policy-violation; sid:2000910; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com Weather App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=weather"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; classtype:policy-violation; sid:2000911; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; content:"/clock?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; classtype:policy-violation; sid:2000912; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; content:"/clockDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; classtype:policy-violation; sid:2000913; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; content:"/weatherDB"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; classtype:policy-violation; sid:2000914; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; content:"/weather?id="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; classtype:policy-violation; sid:2000915; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; content:"/heartbeat?"; nocase; http_uri; content:"=whenusave"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; classtype:policy-violation; sid:2000916; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; content:"/OffersDataGZ?update="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; classtype:policy-violation; sid:2000917; rev:12; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com Desktop Bar Install"; flow: to_server,established; content:"/Appinstall?app=desktop"; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; classtype:policy-violation; sid:2000918; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; content:"/DataChunksGZ?update="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"svr="; nocase; http_uri; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; classtype:policy-violation; sid:2003404; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhenUClick.com Application Version Check"; flow: to_server,established; content:"/versions.html"; nocase; http_uri; content:"whenu.com"; nocase; http_header; fast_pattern; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; classtype:policy-violation; sid:2003389; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OptimizerPro Checkin"; flow:to_server,established; content:"GET"; http_method; content:"/op?sid="; http_uri; content:"&dt="; http_uri; distance:0; content:"&gid="; http_uri; distance:0; reference:md5,d04a7f30c83290b86cac8d762dcc2df5; reference:md5,eba3a996f5b014b2d410f4bf32b8530b; classtype:trojan-activity; sid:2018742; rev:3; metadata:created_at 2013_12_11, updated_at 2013_12_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Optimizer Pro Adware GET or POST to C2"; flow:established,to_server; content:"GET"; http_method; content:"/?q="; offset:4; depth:8; http_uri; content:"optpro"; http_header; fast_pattern:only; pcre:"/^\/(?:get|install)\/\?q=/U"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:trojan-activity; sid:2018744; rev:4; metadata:created_at 2014_07_21, updated_at 2014_07_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SearchSuite Install CnC Beacon"; flow:established,to_server; content:"POST"; http_method; urilen:23; content:"/install_statistics.php"; fast_pattern; http_uri; depth:23; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE|3B| Win32)"; http_header; content:"XML="; http_client_body; depth:4; content:!"Referer|3a|"; http_header; reference:md5,7203a56c3888e819c602e758fce823fa; reference:md5,77e33e8a53e2a0dbc06c921de9b71142; classtype:trojan-activity; sid:2018753; rev:2; metadata:created_at 2014_07_23, updated_at 2014_07_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MultiPlug.A checkin"; flow:to_server,established; content:"get/?ver="; http_uri; content:"&aid="; http_uri; distance:0; content:"&hid="; http_uri; distance:0; content:"&rid="; http_uri; distance:0; content:"&data="; http_uri; distance:0; content:"&report="; http_uri; distance:0; content:!"Referer|3a 20|"; http_header; pcre:"/^\/get\/\?ver=.+?\&aid=\d{8,12}\&hid=[a-f0-9]{15,17}&rid=\d{13}\&data=.*?&report=/U"; reference:md5,f9556acf36168414ad7d5650eeee7972; reference:md5,69e28b658520528a1473f51e62698c87; classtype:trojan-activity; sid:2018867; rev:2; metadata:created_at 2014_08_01, updated_at 2014_08_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iBryte.Adware Affiliate Campaign Executable Download"; flow:established,to_server; content:"GET"; http_method; content:".exe?mode="; fast_pattern:only; http_uri; content:"&subid="; http_uri; content:"&filedescription="; http_uri; content:!"Referer|3a 20|"; http_header; reference:md5,65e5b8e84772f55d761a85bf53c14169; reference:md5,cfda690ebe7bccc5c3063487f6e54086; classtype:trojan-activity; sid:2018367; rev:7; metadata:created_at 2014_04_07, updated_at 2014_04_07;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE AdWare.Win32.Yokbar Checkin URL"; flow:established,to_server; content:"?p="; http_uri; content:"&v="; http_uri; content:"&m="; http_uri; content:"&d=200"; http_uri; content:"&x="; http_uri; content:"&t="; http_uri; reference:url,doc.emergingthreats.net/2008753; classtype:trojan-activity; sid:2008753; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Adware/Antivirus360 Config to client"; flow:established,to_client; content:"[InstallerIni]"; nocase; depth:300; content:"|0d 0a|Pid="; nocase; within:6; content:"|0d 0a|Product="; nocase; content:"|0d 0a|FID="; nocase; content:"|0d 0a|Title="; nocase; reference:url,doc.emergingthreats.net/2009809; classtype:trojan-activity; sid:2009809; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MAC/Conduit Component Download"; flow:established,to_server; content:"GET"; http_method; content:"/installer?dp="; http_uri; content:"&sdp="; http_uri; content:"&f="; http_uri; content:"&id="; http_uri; content:"&v="; http_uri; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019144; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Stan Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"Proxy-Authorization|3A| Basic"; http_header; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; content:"Host|3A| stan|2E|"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{50,}$/U"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019145; rev:2; metadata:created_at 2014_09_09, updated_at 2014_09_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Kyle Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; content:"GET"; http_method; content:"Host|3A| kyle|2E|"; http_header; fast_pattern:only; pcre:"/^\/[\w-]{50,}$/U"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:trojan-activity; sid:2019156; rev:2; metadata:created_at 2014_09_10, updated_at 2014_09_10;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; content:"/clientsetupfinish.html?sponsor_id="; http_uri; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; classtype:trojan-activity; sid:2001998; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; content:"/downloads/valueadd/ping/ping.htm"; nocase; http_uri; content:"zango.com|0d 0a|"; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; classtype:trojan-activity; sid:2003058; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fun Web Products StationaryChooser Spyware"; flow: to_server,established; content:"/StationeryChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; classtype:policy-violation; sid:2002858; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gator/Claria Data Submission"; flow: to_server,established; content:"POST"; nocase; http_method; content:"gs_trickler"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; classtype:policy-violation; sid:2000596; rev:15; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.InstallCore.B Checkin"; flow:established,to_server; urilen:13<>18; content:"POST"; http_method; content:"/?pcrc="; fast_pattern:only; http_uri; content:!"Referer|3a 20|"; http_header; pcre:"/^\/\?pcrc=[0-9]{7,10}$/U"; content:"0A0Czut"; depth:7; http_client_body; reference:md5,d933bef7e1118b181add31eb5edc5c73; classtype:trojan-activity; sid:2019511; rev:5; metadata:created_at 2014_10_27, updated_at 2014_10_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DealPly Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/pxl/"; http_uri; fast_pattern:only; content:"e=-1"; http_uri; content:"&c="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,c6ebffb418813ed68ac5ed9f51f83946; classtype:trojan-activity; sid:2019622; rev:2; metadata:created_at 2014_10_31, updated_at 2014_10_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/SoftonicDownloader.Adware User Agent"; flow:established,to_server; content:"Softonic Downloader/"; http_user_agent; reference:md5,1047b186bb2822dbb5907cd743069261; classtype:trojan-activity; sid:2014355; rev:3; metadata:created_at 2012_03_09, updated_at 2012_03_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32.SoftPulse Checkin"; flow: established, to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla|29|"; depth:20; http_user_agent; content:"|7b 22|event_type|22 3a 22|SPidentifier|22 2c 20 22|environment|22 3a 22|"; depth:45; http_client_body; content:"|22|machine_ID|22 3a 22|"; distance:0; http_client_body; reference:md5,9aa08a2700074c7a8a81e49dc8396e00; reference:md5,50f1fc1085f18a25c09c08566fc1a457; classtype:trojan-activity; sid:2018557; rev:6; metadata:created_at 2014_06_11, updated_at 2014_06_11;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:policy-violation; sid:2014286; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_27, updated_at 2016_07_01;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET MALWARE Carder Card Checking Tool try2check.me SSL Certificate on Off Port"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"try2check.me"; within:400; classtype:policy-violation; sid:2014287; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2012_02_27, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DomaIQ Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/index.php"; http_uri; content:"&OSversion="; http_client_body; content:"&Sysid="; http_client_body; content:"&Sysid1="; http_client_body; content:"&X64="; http_client_body; content:"&exe="; http_client_body; content:"&ffver="; http_client_body; content:"&lang_DfltSys="; http_client_body; content:"&lang_DfltUser="; http_client_body; reference:md5,9befc43d2019c5614e7372a16e3a5ce5; classtype:trojan-activity; sid:2019944; rev:3; metadata:created_at 2014_12_16, updated_at 2014_12_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP W32/DownloadGuide.D"; flow:established,to_server; content:"POST"; http_method; content:"/config-from-production"; http_uri; content:"{|22|os|22 3A 22|"; http_client_body; depth:7; content:"|22|lang|22 3A 22|"; http_client_body; distance:0; content:"|22|uid|22 3A 22|"; http_client_body; distance:0; content:"|22|prod|22 3A 22|"; http_client_body; distance:0; reference:md5,294752c7c4fcf4252a9e99bb4df7ff5c; classtype:trojan-activity; sid:2019974; rev:2; metadata:created_at 2014_12_18, updated_at 2014_12_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (LogEvents)"; flow:established,to_server; content:"User-Agent|3a 20|LogEvents|0d 0a|"; http_header; fast_pattern:12,11; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020238; rev:2; metadata:created_at 2015_01_22, updated_at 2015_01_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (VersionDwl)"; flow:established,to_server; content:"User-Agent|3a 20|VersionDwl|0d 0a|"; http_header; fast_pattern:12,12; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020239; rev:2; metadata:created_at 2015_01_22, updated_at 2015_01_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP.Win32.BoBrowser User-Agent (BoBrowser)"; flow:established,to_server; content:"User-Agent|3a 20|"; http_header; content:" BoBrowser/"; http_user_agent; fast_pattern; threshold:type limit,track by_src,count 1,seconds 180; reference:url,malwareprotectioncenter.com/2015/01/20/bobrowser; classtype:trojan-activity; sid:2020240; rev:3; metadata:created_at 2015_01_22, updated_at 2015_01_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE CoolWebSearch Spyware (Feat)"; flow: to_server,established; content:"User-Agent|3a| Feat"; nocase; http_header; pcre:"/^User-Agent\x3a\x20+Feat[^\r\n]+(?:Install|Updat)er/Hmi"; reference:url,www.spywareguide.com/product_show.php?id=599; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075759; reference:url,www.doxdesk.com/parasite/CoolWebSearch.html; reference:url,doc.emergingthreats.net/2002160; classtype:trojan-activity; sid:2002160; rev:18; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/MultiPlug.Adware Adfraud Traffic"; flow:established,to_server; content:"GET"; http_method; content:"/sync"; http_uri; depth:5; content:"/?rmbs="; within:8; http_uri; fast_pattern; content:"User-Agent|3a 20|Mozilla/5.0 (Windows NT 6.1|3b| WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17|0d 0a|"; http_header; content:!"Referer|3A|"; http_header; reference:url,blogs.cisco.com/security/talos/bad-browser-plug-ins; classtype:trojan-activity; sid:2020457; rev:2; metadata:created_at 2015_02_17, updated_at 2015_02_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware User-Agent"; flow:established,to_server; content:!"Referer|3a|"; http_header; content:"WinWrapper"; depth:10; http_user_agent; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020629; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Application AirInstaller"; flow:to_server,established; urilen:>31; content:"GET"; http_method; content:"/launch/?c="; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"&m="; http_uri; content:"&l="; http_uri; content:"&b="; http_uri; content:"&sid="; http_uri; content:"&os="; http_uri; reference:md5,3eaaf0de35579e5af89ae3dd81d0c592; reference:md5,ac030896aad1b6b0eeb00952dee24c3f; classtype:trojan-activity; sid:2018095; rev:5; metadata:created_at 2014_01_13, updated_at 2014_01_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; content:"GET"; http_method; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; content:"/log/?"; http_uri; fast_pattern; content:"="; distance:1; within:1; http_uri; content:"&d="; distance:0; http_uri; content:"&o="; http_uri; content:"&r="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/U"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:trojan-activity; sid:2020701; rev:2; metadata:created_at 2015_03_16, updated_at 2015_03_16;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; content:"/ToastMessage/"; nocase; http_uri; content:"/Toast.asp?ysaid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; classtype:policy-violation; sid:2003362; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Agent Partner Checkin"; flow: to_server,established; content:"/partners/"; nocase; http_uri; content:"partners.xip"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; classtype:trojan-activity; sid:2000925; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Agent Subscription POST"; flow: to_server,established; content:"/hotbar/"; nocase; http_uri; content:"Subscription.dll?"; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; classtype:trojan-activity; sid:2002820; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Keywords Download"; flow: to_server,established; content:"/keywords/kyfb."; nocase; http_uri; content:"partner_id="; nocase; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; classtype:trojan-activity; sid:2003388; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ICQ-Update.biz Reporting Install"; flow: to_server,established; content:"log.php?"; nocase; http_uri; content: "IP="; nocase; http_uri; content:"Port1="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; classtype:trojan-activity; sid:2001490; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ISearchTech Toolbar Data Submission"; flow: to_server,established; content:"/ist/scripts/istsvc_ads_data.php?"; nocase; http_uri; content: "version="; nocase; http_uri; reference:url,www.isearchtech.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; classtype:trojan-activity; sid:2001697; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Internet Optimizer Spyware Install"; flow: to_server,established; content:"/internet-optimizer/"; nocase; http_uri; content:"/optimize"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; classtype:policy-violation; sid:2001396; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MySearchNow.com Spyware"; flow: to_server,established; content:"exe/dns.html"; nocase; http_uri; content:"User-Agent|3a| TPSystem"; nocase; http_header; reference:url,www.mysearchnow.com; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; classtype:trojan-activity; sid:2003221; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; content:"/barcfg.jsp?"; nocase; http_uri; content:"MyWebSearchWB"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; classtype:trojan-activity; sid:2002836; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hotbar Install (1)"; flow: to_server,established; content:"/install/startInstallprocess.asp?"; nocase; http_uri; content: "Defau"; http_uri; reference:url,www.hotbar.com; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; classtype:trojan-activity; sid:2000920; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/AdWare.Sendori User-Agent"; flow:established,to_server; content:"Sendori-Client"; http_user_agent; depth:14; reference:url,isc.sans.edu/forums/diary/Suspect+Sendori+software/16466; reference:md5,aee8ddf3b36d60d33c571ee798b6bad6; classtype:trojan-activity; sid:2020881; rev:3; metadata:created_at 2015_04_08, updated_at 2015_04_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Softpulse PUP Install Failed Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?sentry_version="; http_uri; content:"&sentry_client="; distance:0; http_uri; content:"&sentry_key=84ce05510b844b75acc37de959560a65&sentry_secret=1c9aa912021b4626a5b7a7e589cba678&sentry_data="; distance:0; http_uri; content:!"Referer|3a|"; http_header; reference:md5,bb9f26d52327979fb9b4d467408eba25; classtype:trojan-activity; sid:2021027; rev:2; metadata:created_at 2015_04_28, updated_at 2015_04_28;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Toolbar.Conduit.AG Checkin"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:"User-Agent|3a 20|NSIS_Inetc (Mozilla|29 0d 0a|"; http_header; content:"postInstallReport"; http_client_body; fast_pattern; content:"machineId|22 3a 22|"; http_client_body; reference:md5,8fc00c6696268ae42411a5ebf9d2576f; classtype:trojan-activity; sid:2021094; rev:3; metadata:created_at 2015_05_13, updated_at 2015_05_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP.GigaClicks Checkin"; flow:to_server,established; content:"POST"; http_method; content:"/ver/"; http_uri; content:"/sid/"; http_uri; content:"instlog="; http_client_body; fast_pattern; content:!"User-Agent|3a|"; http_header; reference:md5,942fd71fb26b874502f3ba8546e6c164; classtype:trojan-activity; sid:2021099; rev:2; metadata:created_at 2015_05_15, updated_at 2015_05_15;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/Conduit.SearchProtect.O CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/?uid="; http_uri; content:"&affid="; distance:0; http_uri; content:"&inst_date="; distance:0; http_uri; fast_pattern; content:"&prod="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; reference:md5,525917c79e22fa9bc54da36b94437a46; classtype:trojan-activity; sid:2021173; rev:2; metadata:created_at 2015_05_29, updated_at 2015_05_29;) alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .cn Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cn|00|"; distance:0; nocase; fast_pattern; content:!"|03|360"; distance:-8; within:4; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02cn\x00/i"; classtype:misc-activity; sid:2012327; rev:4; metadata:created_at 2011_02_21, updated_at 2011_02_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ezula Install .exe"; flow: to_server,established; content:"/install/eZinstall.exe"; nocase; http_uri; content:"eZula"; depth:5; http_user_agent; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; classtype:trojan-activity; sid:2001334; rev:8; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan.FakeAV.SystemDefender Checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:".php?"; nocase; http_uri; content:"action=stat&wmid="; nocase; http_uri; content:"&event="; nocase; http_uri; content:"&uid="; nocase; http_uri; content:"&i1"; nocase; http_uri; content:"&i2"; nocase; http_uri; reference:url,doc.emergingthreats.net/2008732; reference:md5,4d1df7240837832853c8b87606f3dfc2; classtype:trojan-activity; sid:2008732; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP TheSZ AutoUpdate CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/update.php?p="; http_uri; fast_pattern:only; content:"&v="; http_uri; content:"&id="; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|AutoUpdate|0d 0a|"; http_header; reference:md5,76e54deb6f81edd6b47c854c847d590d; classtype:trojan-activity; sid:2021401; rev:2; metadata:created_at 2015_07_10, updated_at 2015_07_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX ADWARE/Mackeeper Checkin"; flow:established,to_server; content:"/landings/"; depth:10; http_uri; content:"Macintosh|3b|"; http_user_agent; content:"Host|3a| mackeeper"; http_header; content:"ldrBrowser=|25|22Safari|25|22|3b|"; http_cookie; content:"ldrOs=|25|22Mac+OS+X|25|22|3b|"; http_cookie; classtype:trojan-activity; sid:2021548; rev:3; metadata:created_at 2015_07_29, updated_at 2015_07_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DealPly Adware CnC Beacon 2"; flow:established,to_server; content:"/?v="; http_uri; depth:4; content:"&pcrc="; http_uri; distance:0; content:"&LSVRDT="; http_uri; distance:0; fast_pattern; content:"&ty="; http_uri; distance:0; content:!"User-Agent|3a|"; http_header; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2021619; rev:3; metadata:created_at 2015_08_12, updated_at 2015_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DealPly Adware CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/?pcrc="; http_uri; depth:7; fast_pattern; content:"&v="; http_uri; pcre:"/^\/\?pcrc=\d+&v=[\d.]+$/U"; content:!"Referer|3a 20|"; http_header; reference:md5,a34236628ea04e10430e20ac2b9d7ad2; classtype:trojan-activity; sid:2021618; rev:4; metadata:created_at 2015_08_12, updated_at 2015_08_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DealPly Adware CnC Beacon 3"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; http_uri; depth:4; content:"&pcrc="; http_uri; content:"&LUDT="; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; classtype:trojan-activity; sid:2021643; rev:2; metadata:created_at 2015_08_17, updated_at 2015_08_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Spyware Related User-Agent (UtilMind HTTPGet)"; flow: to_server,established; content:"UtilMind HTTPGet"; http_header; fast_pattern:only; content:!"Host|3a| www.blueocean.com"; nocase; content:!"Host|3a 20|www.backupmaker.com"; http_header; nocase; threshold: type limit, count 1, track by_src, seconds 360; reference:url,www.websearch.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002402; classtype:trojan-activity; sid:2002402; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUA Boxore User-Agent"; flow:to_server,established; content:"BoxoreClent"; depth:11; http_user_agent; content:!"Referer|3a|"; http_header; reference:md5,5cb2e8a9b6935f228623c69f1b17669d; classtype:trojan-activity; sid:2021700; rev:3; metadata:created_at 2015_08_21, updated_at 2015_08_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"Host|3a| 0x"; http_header; pcre:"/^Host\x3a\x200x[0-9a-f]+\r?$/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; classtype:trojan-activity; sid:2007951; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Fake Flash Player Download Oct 20"; flow:established,to_server; content:"GET"; http_method; content:"/download/"; http_uri; content:"/FMP.dmg?download_browser="; distance:0; http_uri; fast_pattern; content:"&app_id="; http_uri; distance:0; content:"&campaign="; http_uri; distance:0; content:"&cargoType="; http_uri; distance:0; content:"&oname=FMP.dmg"; http_uri; distance:0; classtype:trojan-activity; sid:2021984; rev:2; metadata:created_at 2015_10_20, updated_at 2015_10_20;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Blank User-Agent (descriptor but no string)"; flow:to_server,established; content:"User-Agent|3a 0d 0a|"; http_header; content:!"check.googlezip.net|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008066; classtype:trojan-activity; sid:2008066; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DealPly Adware CnC Beacon 4"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; http_uri; depth:4; fast_pattern; content:"&pcrc="; http_uri; content:!"Referer|3a 20|"; http_header; content:!"Accept-"; http_header; pcre:"/^\/\?v=[\d.]+&pcrc=\d+$/U"; reference:md5,038da581f99c88a4ee6700de440a54ca; classtype:trojan-activity; sid:2022354; rev:2; metadata:created_at 2016_01_13, updated_at 2016_01_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SmartTab PUP Install Activity"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8eaf3b7b72a9af5a85d01b674653ccac; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; classtype:trojan-activity; sid:2014117; rev:4; metadata:created_at 2012_01_12, updated_at 2012_01_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SmartTab PUP Install Activity 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/v"; http_uri; depth:2; content:".asp"; http_uri; content:"User-Agent|3a 20|Mozilla/3.0 (compatible|3b| Indy Library|29 0d 0a|"; http_header; fast_pattern:32,20; pcre:"/\/v\d\/[^.]+\.asp$/Ui"; reference:md5,84fcdf1cd6dc3ee71686835f9489752c; classtype:trojan-activity; sid:2022694; rev:2; metadata:created_at 2016_04_01, updated_at 2016_04_01;) #alert ftp $HOME_NET ![21,25,110,119,139,445,465,475,587,902,1433,2525] -> any any (msg:"ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced)"; flow:from_server,established,only_stream; content:"220 "; depth:4; content:!"SMTP"; within:20; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2011124; classtype:non-standard-protocol; sid:2011124; rev:19; metadata:created_at 2010_07_30, updated_at 2017_09_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Adware.Pirrit CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:".sh?do="; http_uri; content:"&d="; http_uri; content:"&inj="; http_uri; content:"&cl="; http_uri; content:"&cs="; http_uri; content:"&id="; http_uri; content:"&se="; http_uri; content:"User-Agent|3a 20|Mozilla/5.0|0d 0a|"; http_header; fast_pattern:5,20; content:!"Referer|3a|"; http_header; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022716; rev:2; metadata:created_at 2016_04_08, updated_at 2016_04_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Adware.Pirrit CnC Activity 1"; flow:established,to_server; content:"GET"; http_method; content:"?mid="; http_uri; fast_pattern; content:"User-Agent|3a 20|curl/"; http_header; content:!"Referer|3a|"; http_header; pcre:"/\/(cld|update-effect)\?mid=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&(ct|st)=[a-z0-9]+$/Ui"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022717; rev:2; metadata:created_at 2016_04_08, updated_at 2016_04_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Adware.Pirrit CnC Activity 2"; flow:established,to_server; content:"POST"; http_method; content:!"."; http_uri; content:"User-Agent|3a 20|curl/"; http_header; content:"vs_mid="; http_client_body; depth:7; fast_pattern; content:"&br_mid="; http_client_body; content:"&event_type="; http_client_body; content:"diss URL"; http_client_body; nocase; content:!"Referer|3a|"; http_header; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022718; rev:2; metadata:created_at 2016_04_08, updated_at 2016_04_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/Adware.Pirrit Web Injects"; flow:established,to_server; content:"GET"; http_method; content:"/mu?id="; http_uri; fast_pattern; content:"&d="; http_uri; content:"&cl="; http_uri; pcre:"/\/mu\?id=[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}&d=[A-Za-z]+&cl=\d+$/Ui"; reference:url,go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf; reference:md5,85846678ad4dbff608f2e51bb0589a16; classtype:trojan-activity; sid:2022719; rev:2; metadata:created_at 2016_04_08, updated_at 2016_04_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 3"; flow:established,to_server; content:"HEAD"; http_method; content:"/u/?"; depth:4; http_uri; fast_pattern; content:"&c="; http_uri; distance:0; content:"&r="; http_uri; distance:0; pcre:"/^\/u\/\?[a-z]=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&r=[0-9]{17,}$/U"; reference:url,blog.malwarebytes.org/cybercrime/2016/01/trojan-dnschanger-circumvents-powershell-restrictions/; classtype:trojan-activity; sid:2022722; rev:2; metadata:created_at 2016_04_11, updated_at 2016_04_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 4"; flow:established,to_server; content:"POST"; http_method; content:"/u/"; depth:3; http_uri; fast_pattern; content:"Connection|3a| Close|0d 0a|"; nocase; http_header; content:"Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|"; content:!"Accept"; http_header; content:!"Referer|3a|"; nocase; http_header; content:"a="; depth:2; http_client_body; content:"&c="; http_client_body; distance:0; content:"&r="; http_client_body; distance:0; pcre:"/^a=[a-zA-Z0-9_-]+&c=[a-zA-Z0-9_-]+&h=[a-zA-Z0-9_-]+&r=[0-9]{15,}$/P"; reference:md5,3ea75d62966f8c52de16d7849eeb3691; classtype:trojan-activity; sid:2022723; rev:2; metadata:created_at 2016_04_11, updated_at 2016_04_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/MediaGet.Adware Installer Download"; flow:established,to_client; content:"Set-Cookie|3A 20 |MediagetDownloaderInfo=installer"; http_raw_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; flowbits:isnotset,ET.Adobe.Site.Download; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=860182; reference:md5,39c1769c39f61dd2ec009de8374352c6; classtype:trojan-activity; sid:2014353; rev:6; metadata:created_at 2012_03_09, updated_at 2012_03_09;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Successful QuizScope Installation"; flow:established,to_server; content:"GET"; http_method; content:"/qscope/ithankyou"; depth:17; fast_pattern; http_uri; reference:md5,4dae2a394b792c36936a88cfc296f9b9; classtype:trojan-activity; sid:2022812; rev:2; metadata:created_at 2016_05_17, updated_at 2016_05_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SearchProtect PUA User-Agent Observed"; flow:established,to_server; content:"SearchProtect|3b|"; depth:14; http_user_agent; reference:md5,34e2350c2ed6a9a9e9d444102ae4dd87; classtype:trojan-activity; sid:2022813; rev:2; metadata:created_at 2016_05_17, updated_at 2016_05_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Conduit Trovi Adware/PUA"; flow:established,to_server; content:"GET"; http_method; content:"/?gd="; http_uri; depth:5; fast_pattern; content:"&ctid="; http_uri; distance:0; content:"&octid="; http_uri; distance:0; content:"&SSPV="; http_uri; distance:0; reference:md5,069ce8c2a553f9bc5a9599d7541943ce; classtype:trojan-activity; sid:2022814; rev:2; metadata:created_at 2016_05_17, updated_at 2016_05_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InstallCore PUA/Adware Activity M1"; flow:established,to_server; content:"/gettrk_l?partner="; depth:18; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022821; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InstallCore PUA/Adware Activity M2"; flow:established,to_server; content:"/install-report?"; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022822; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InstallCore PUA/Adware Activity M3"; flow:established,to_server; content:"/event-report?"; http_uri; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022823; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InstallCore PUA/Adware Activity M4"; flow:established,to_server; content:"?type=off"; http_uri; content:"&topic="; http_uri; distance:0; content:"User-Agent|3a 20|WinHTTP/1.0|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022824; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Toolbar User-Agent (BrandThunderHelper)"; flow:established,to_server; content:"User-Agent|3a 20|BrandThunderHelper|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2022825; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Toolbar.WIDGI User-Agent (WidgiToolbar-)"; flow:to_server,established; content:"POST"; http_method; nocase; content:"WidgiToolbar-"; depth:13; http_user_agent; reference:md5,1785f9784cb4e7400ed6f2c8f0e421c2; classtype:trojan-activity; sid:2022826; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP/DriverRestore Sending System Information to Affiliate"; flow:established,to_server; content:".jsp?leadTrackerId="; http_uri; content:"|22|ComputerName|22|"; http_uri; distance:0; content:"|22|UserName|22|"; http_uri; distance:0; content:"|22|IsAdmin|22|"; http_uri; distance:0; content:"User-Agent|3a 20|DriverRestore/"; http_header; fast_pattern:6,20; content:!"Referer|3a 20|"; http_header; reference:md5,4f7f497668e3e716a6f4a53af0924a25; classtype:trojan-activity; sid:2022827; rev:2; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TopTools PUP Install Activity"; flow:established,to_server; content:"POST"; http_method; content:"_install.cgi"; http_uri; content:"User-Agent|3a 20|BIDUI18N|0d 0a|"; http_header; content:"name=|22|ufile01|22 3b 20|filename=|22|boundary|22|"; http_client_body; fast_pattern; content:"Content-Type|3a 20|application/octet-stream"; http_client_body; distance:0; content:!"Accept-"; http_header; content:!"Referer|3a|"; http_header; reference:md5,3e464cff8690c7a2f57542688a278c62; classtype:trojan-activity; sid:2022829; rev:2; metadata:created_at 2016_05_19, updated_at 2016_05_19;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/CloudScout Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/QualityCheck/"; http_uri; fast_pattern; content:".php"; distance:0; http_uri; content:!"Referer|3a|"; http_header; content:"dp="; http_client_body; depth:3; content:"&sdp="; http_client_body; distance:0; content:"&a="; http_client_body; distance:0; pcre:"/\.php$/U"; reference:md5,c732b52b245444e3f568d372ce399911; classtype:trojan-activity; sid:2019780; rev:8; metadata:created_at 2014_11_24, updated_at 2016_05_24;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader.NSIS.OutBrowse.b Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/Installer/Flow?pubid="; nocase; depth:22; http_uri; fast_pattern; content:"&distid="; distance:0; http_uri; content:"&productid="; distance:0; http_uri; content:"&subpubid="; distance:0; http_uri; content:"&campaignid="; distance:0; http_uri; content:"&networkid="; distance:0; http_uri; content:"&dfb="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"&version="; distance:0; http_uri; content:"Chrome/18.0.1025.142 Safari/535.19|0d 0a|Host|3a|"; http_header; reference:md5,38eeed96ade6037dc299812eeadee164; reference:url,sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OutBrowse%20Revenyou/detailed-analysis.aspx; classtype:trojan-activity; sid:2018617; rev:6; metadata:created_at 2014_01_13, updated_at 2016_06_22;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"POST"; http_method; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r?$/Hi"; reference:md5,64482895a11d120a9f17ded96aa43cd3; reference:md5,a108ae58850e8f48428070d3193e5c11; classtype:trojan-activity; sid:2020422; rev:15; metadata:created_at 2015_02_13, updated_at 2016_07_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Chrome Extension"; flow:established,to_server; content:"page?url="; http_uri; fast_pattern; content:"/user/"; http_uri; content:"iframe="; http_uri; content:!"Referer|3a|"; http_header; classtype:trojan-activity; sid:2023015; rev:2; metadata:affected_product Web_Browser_Plugins, affected_product Google_Chrome, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_08_05, performance_impact Low, updated_at 2016_08_05;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)"; flow:established,to_server; content:"User-Agent|3a| Qvod"; nocase; http_header; reference:url,www.siteadvisor.com/sites/update.qvod.com; reference:url,www.threatexpert.com/reports.aspx?find=update.qvod.com; reference:url,doc.emergingthreats.net/2009785; classtype:trojan-activity; sid:2009785; rev:9; metadata:created_at 2010_07_30, updated_at 2016_09_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User Agent (TEST) - Likely Webhancer Related Spyware"; flow:to_server,established; content:"User-Agent|3a| TEST|0d 0a|"; http_header; content:!"Host|3a 20|messagecenter.comodo.com"; content:!"symantec.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006357; classtype:trojan-activity; sid:2006357; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User Agent (Autoupdate)"; flow:to_server,established; content:"User-Agent|3a| Autoupdate"; nocase; http_header; content:!"Host|3a| update.nai.com"; nocase; content:!"McAfeeAutoUpdate"; nocase; content:!"nokia.com"; nocase; content:!"sophosupd.com"; nocase; http_header; content:!"sophosupd.net"; nocase; http_header; content:!" Creative AutoUpdate v"; http_header; content:!"wholetomato.com"; http_header; content:!".acclivitysoftware.com"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003337; classtype:trojan-activity; sid:2003337; rev:18; metadata:created_at 2010_07_30, updated_at 2017_01_05;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MultiPlug.J Checkin"; flow:established,to_server; urilen:>103; content:"/?q="; http_uri; fast_pattern; depth:4; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; content:"+"; http_raw_uri; pcre:"/^\/(?:[A-Za-z]+\d?\/)?\?q=(?=[a-z0-9+/]*[A-Z])(?=[A-Z0-9+/]*[a-z])(?=[A-Za-z0-9+/\x25]*\d)[A-Za-z0-9+/\x25]{100}/U"; content:!"map24.com|0d 0a|"; http_header; content:!"aptrk.com|0d 0a|"; http_header; content:!"Accept-"; http_header; pcre:"/^Accept\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+\r\n\r?$/H"; reference:md5,6b95ddc5238cc0576db7b206af13339e; classtype:trojan-activity; sid:2023707; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_09, malware_family PUA, performance_impact Low, updated_at 2017_01_09;) #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M3"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| image/png"; pcre:"/^(?:(?!\r?\n\r?\n).)*?\r?\n\r?\nMZ/Rs"; content:"!This program"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2023750; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_01_19, performance_impact Low, updated_at 2017_12_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Mozilla) - Possible Spyware Related"; flow:to_server,established; content:"User-Agent|3a| Mozilla|0d 0a|"; http_header; content:!"smartcom.com|0d 0a|"; http_header; content:!"iscoresports.com|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007854; classtype:trojan-activity; sid:2007854; rev:10; metadata:created_at 2010_07_30, updated_at 2017_01_24;) alert http $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET MALWARE User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible|29 0d 0a|"; fast_pattern:18,20; http_header; content:!"citrixonline.com"; http_header; content:!"/?rnd="; depth:6; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008974; classtype:trojan-activity; sid:2008974; rev:14; metadata:created_at 2010_07_30, updated_at 2017_01_24;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Sogou.com Spyware User-Agent (SogouIMEMiniSetup)"; flow:established,to_server; content:"User-Agent|3a| SogouIME"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008500; classtype:trojan-activity; sid:2008500; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2017_04_04;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/BettrExperience.Adware Update Checkin"; flow:established,to_server; content:"/Check.ashx?"; depth:12; http_uri; content:"&e="; http_uri; content:"&n="; http_uri; content:"&mv="; http_uri; content:!"Referer|3a 20|"; reference:md5,b2651071fbd14bff5fb39bd90f447d27; classtype:trojan-activity; sid:2018026; rev:2; metadata:created_at 2014_01_27, updated_at 2014_01_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney Checkin 4"; flow:established,to_server; content:"/data_files="; depth:12; fast_pattern; http_uri; content:"&rnd="; distance:0; http_uri; content:"User-Agent|3a 20|Downloader 1"; http_header; content:!"Accept"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024262; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_08_24, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney Checkin 2"; flow:to_server,established; content:"POST"; http_method; urilen:12; content:"/launch_info"; http_uri; content:"Downloader "; depth:11; http_user_agent; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024259; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_03_13, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney Checkin 3"; flow:established,to_server; content:"/get_json?"; http_uri; fast_pattern:only; content:"&name="; http_uri; content:"rnd="; http_uri; content:"User-Agent|3a 20|Downloader|20|"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024261; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_04_09, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LoadMoney Checkin 5"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3a 20|Downloader|20|"; http_header; content:"|0a|Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22 0d 0a|"; http_client_body; pcre:"/^Downloader\s\d+\.\d+$/V"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2022987; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2016_07_27, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.LoadMoney User Agent"; flow:established,to_server; content:"Downloader "; http_user_agent; fast_pattern:only; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024260; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2017_04_27, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney User Agent"; flow:established,to_server; content:"Downloader "; http_user_agent; fast_pattern:only; pcre:"/^User-Agent\x3a Downloader \d\.\d\r?$/Hm"; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024249; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_03_13, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney.A Checkin 1"; flow:established,to_server; content:"/get_xml?"; http_uri; fast_pattern; content:"tiny-dl"; http_user_agent; pcre:"/\/get_xml\?(?:file_id|stb)=/Ui"; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024250; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2012_12_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney.A Checkin 2"; flow:established,to_server; content:"/download.php?id="; http_uri; fast_pattern; content:"&f="; http_uri; content:"tiny-dl"; http_user_agent; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024251; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2012_12_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney.A Checkin 3"; flow:to_server,established; content:"/get_download_xml_"; fast_pattern:only; http_uri; content:"?id="; http_uri; content:"User-Agent|3a| tiny-dl"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024252; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_05_03, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney.A Checkin 4"; flow:to_server,established; content:"/get_file_info.php?id="; fast_pattern; http_uri; content:"tiny-dl"; depth:7; http_user_agent; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024253; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_05_22, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney.A Checkin 6"; flow:to_server,established; content:"/get_xml?story="; fast_pattern:only; http_uri; content:"&file"; http_uri; content:"Downloader"; depth:10; http_user_agent; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024254; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_09_11, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney.A Checkin 7"; flow:to_server,established; content:"/info?story="; fast_pattern:only; http_uri; content:"&file="; http_uri; content:"Downloader"; depth:10; http_user_agent; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024255; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_09_16, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney.A Checkin 5"; flow:to_server,established; content:"/getspfile.php?id="; fast_pattern:only; http_uri; content:"tiny-dl"; depth:7; http_user_agent; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024256; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2013_11_19, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney.A Checkin 8"; flow:established,to_server; content:"GET"; http_method; content:"&chromeLog="; http_uri; fast_pattern; content:"&ffLog="; distance:0; http_uri; content:"&operaLog="; distance:0; http_uri; content:"¬Admin="; distance:0; http_uri; content:!"Referer|3a|"; http_header; metadata: former_category TROJAN; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024257; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2014_08_05, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Loadmoney Checkin 1"; flow:established,to_server; content:"POST"; http_method; urilen:8; content:"/ppu.php"; http_uri; fast_pattern:only; content:"xml_req="; depth:8; http_client_body; content:"system"; distance:0; http_client_body; content:"os+version"; distance:0; http_client_body; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2024258; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Loadmoney, signature_severity Minor, created_at 2015_02_17, malware_family Loadmoney, performance_impact Low, updated_at 2017_04_27;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller)"; flow:to_server,established; content:"User-Agent|3a| LocusSoftware, NetInstaller"; http_header; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2008150; classtype:trojan-activity; sid:2008150; rev:8; metadata:created_at 2010_07_30, updated_at 2017_05_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (???)"; flow:established,to_server; content:"|0d 0a|User-Agent|3a| ???"; http_header; content:!"|20|Sparkle|2f|"; http_user_agent; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/2010595; classtype:trojan-activity; sid:2010595; rev:6; metadata:created_at 2010_07_30, updated_at 2017_05_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; content:!"101.ru"; http_header; content:!"9366858.ru"; http_header; metadata: former_category MALWARE; classtype:misc-activity; sid:2012649; rev:5; metadata:created_at 2011_04_08, updated_at 2017_06_27;) alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:misc-activity; sid:2012328; rev:6; metadata:created_at 2011_02_21, updated_at 2011_02_21;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE InstallCore Variant CnC Checkin"; flow:established,to_server; urilen:1; content:"POST"; http_method; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; http_header; content:"|7c|"; http_client_body; depth:40; content:"POST|20|/|20|HTTP/1.1|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|Host|3a|"; fast_pattern; content:!"Referer|3a|"; http_header; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})\x7c/P"; metadata: former_category MALWARE; reference:md5,42374945061c7941d6690793ae393d3a; classtype:trojan-activity; sid:2024428; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_26, performance_impact Moderate, updated_at 2017_09_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ProxyGearPro Proxy Tool PUA"; flow:to_server,established; content:"GET"; http_method; content:"Proxy|20|Gear|20|Pro/"; http_user_agent; fast_pattern; content:!"Referer|3a 20|"; http_header; metadata: former_category MALWARE; reference:md5,b8889db7b4ef74c9302c12781a92a23a; classtype:policy-violation; sid:2024484; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_07_20, performance_impact Moderate, updated_at 2017_07_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LoadMoney Adware Activity"; flow:to_server,established; content:"POST"; http_method; content:".htm?v="; http_uri; fast_pattern; content:"&eh="; distance:0; http_uri; content:"&ts="; distance:0; http_uri; content:"&u2="; distance:0; http_uri; content:"Cookie|3a 20|a=h+"; content:!"Referer|3a 20|"; http_header; flowbits:set,ETPTadmoney; metadata: former_category MALWARE; reference:md5,681501695c12112aaf2129ab614481bd; reference:md5,1282b899c41b06dac0adb17e0e603d30; classtype:trojan-activity; sid:2024693; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_06_12, malware_family Neshta, performance_impact Low, updated_at 2017_09_11;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|89 50 4e 47 0d 0a 1a 0a|"; depth:8; byte_jump:2,8,from_beginning,little; isdataat:20,relative; isdataat:!21,relative; content:!"IHDR"; offset:12;depth:4; flowbits:isset,ETPTadmoney; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024699; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, signature_severity Major, created_at 2017_09_11, performance_impact Moderate, updated_at 2017_09_12;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Yokbar User-Agent Detected (YOK Agent)"; flow:established,to_server; content:"User-Agent|3a| YOK Agent|0d 0a|"; http_header; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2008752; classtype:trojan-activity; sid:2008752; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_07_30, updated_at 2017_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Downloader Checkin - Downloads Rogue Adware "; flow:established,to_server; content:"GET"; nocase; http_method; content:"AreaID="; nocase; http_uri; content:"MediaID="; nocase; http_uri; content:"AdNo="; nocase; http_uri; content:"OriginalityID="; nocase; http_uri; content:"Url"; nocase; http_uri; content:"Mac="; nocase; http_uri; content:"Version="; nocase; http_uri; content:"ValidateCode="; nocase; http_uri; content:"ParentName="; nocase; http_uri; metadata: former_category TROJAN; reference:url,doc.emergingthreats.net/2009526; classtype:trojan-activity; sid:2009526; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_07_30, updated_at 2017_09_21;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Kraddare Checkin"; flow:established,to_server; content:".php?"; http_uri; content:"strID="; http_uri; content:"strPC="; http_uri; metadata: former_category TROJAN; classtype:trojan-activity; sid:2011492; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2010_09_28, updated_at 2017_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Known Malicious User-Agent (x) Win32/Tracur.A or OneStep Adware Related"; flow:to_server,established; content:"User-Agent|3a| x|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; metadata: former_category TROJAN; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2; reference:url,doc.emergingthreats.net/2009987; classtype:trojan-activity; sid:2013017; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_06_13, updated_at 2017_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UBar Trojan/Adware Checkin 1"; flow:established,to_server; content:"?gname="; http_uri; content:"&pid="; http_uri; content:"&m="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; reference:url,www.threatexpert.com/report.aspx?md5=81a119f7f47663c03053e76146f54fe9; classtype:trojan-activity; sid:2013556; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_09, updated_at 2017_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UBar Trojan/Adware Checkin 2"; flow:established,to_server; content:"inst.php?"; http_uri; content:"pcode="; http_uri; content:"&ucode="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013557; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_10, updated_at 2017_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE UBar Trojan/Adware Checkin 3"; flow:established,to_server; content:"size.php?"; http_uri; content:"file="; http_uri; content:" from|3a| http|3a|//www.bsalsa.com/ EmbeddedWB "; http_header; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013558; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_09_10, updated_at 2017_09_21;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5217 (msg:"ET MALWARE W32/SmartPops Adware Outbound Off-Port MSSQL Communication"; flow:established,to_server; content:"S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; content:"D|00|B|00|_|00|S|00|M|00|A|00|R|00|T|00|P|00|O|00|P"; distance:0; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013956; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2011_11_23, updated_at 2017_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware/FakeAV.Kraddare Checkin UA"; flow:established,to_server; content:"pcsetup_"; http_header; pcre:"/User-Agent\x3a \w+pcsetup_\w+/H"; metadata: former_category TROJAN; reference:url,www.scumware.org/report/update.best-pc.co.kr; classtype:trojan-activity; sid:2014583; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2012_04_16, updated_at 2017_09_21;) alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (startupfraction)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0f|startupfraction|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024722; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;) alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (search.feedvertizus)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|search|0c|feedvertizus|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024723; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;) alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (go.querymo)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|go|07|querymo|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024724; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;) alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE Malicious Chrome Ext. DNS Query For Adware CnC (opurie)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|opurie|03|com"; fast_pattern; distance:0; nocase; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024725; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Adware Chrome Extension Detected (1)"; flow:to_server,established; content:"/hostedsearch?"; http_uri; fast_pattern; content:"subid"; distance:0; http_uri; content:"&keyword="; distance:0; http_uri; content:"User-Agent|3a 20|"; http_header; content:"Upgrade-Insecure-Requests|3a 20|"; http_header; content:"Accept"; http_header; content:"Connection|3a 20|"; http_header; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024726; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Adware Chrome Extension Detected (2)"; flow:to_server,established; content:"/?keyword="; http_uri; fast_pattern; content:"&id="; distance:0; http_uri; content:"&sysid="; distance:0; http_uri; content:"User-Agent|3a 20|"; http_header; content:"Upgrade-Insecure-Requests|3a 20|"; http_header; content:"Accept"; http_header; content:"Connection|3a 20|"; http_header; metadata: former_category TROJAN; reference:url,blog.0day.rocks/malicious-chrome-extension-meddling-with-your-searches-581aa56ddc9c; classtype:trojan-activity; sid:2024727; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_09_19, performance_impact Low, updated_at 2017_09_21;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE [PTsecurity] WebToolbar.Win32.Searchbar.k HTTP JSON Artifact"; flow:established,to_client; content:"200"; http_stat_code; file_data; content:"|7b 22|lib_version|22 3a 22|"; depth:16; content:"|22 2c 22|lib_url|22 3a 22|"; distance:0; fast_pattern; content:"|22 2c 22|bin_version|22 3a 22|"; distance:0; content:"|22 2c 22|bin_url|22 3a 22|"; distance:0; metadata: former_category MALWARE; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:trojan-activity; sid:2024761; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_22, performance_impact Low, updated_at 2017_09_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Adware.SearchGo (start_page)"; flow:established,to_server; urilen: >100; content:"/%f3%07%27%f6%46%d3"; http_raw_uri; depth:19; content:"GET"; http_method; content:"start_page"; http_user_agent; fast_pattern; content:!"Content-Length|3a|"; http_header; content:!"Content-Type|3a|"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:!"Referer|3a|"; http_header; metadata: former_category MALWARE; reference:url,blog.malwarebytes.com/detections/adware-searchgo/; classtype:trojan-activity; sid:2024762; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_22, malware_family Searchgo, performance_impact Low, updated_at 2017_09_22;) alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET MALWARE [PTsecurity] DeathBot.Java (Minecraft Spambot)"; flow:established, to_server; dsize:<256; content:"|00 00 00|"; depth:3; content:"|01 78 9c|"; distance:1; within:3; fast_pattern; byte_jump:1,3,from_beginning,post_offset 2; isdataat:1, relative; isdataat:!2,relative; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category MALWARE; classtype:misc-activity; sid:2024793; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_02, malware_family Spambot, performance_impact Moderate, updated_at 2017_10_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Java.Deathbot Requesting Proxies"; flow:established,to_server; content:"GET"; http_method; content:"/Socks"; http_uri; fast_pattern:only; content:!"Referer|3a 20|"; http_header; content:!"Accept-"; http_header; content:"User-Agent|3a 20|Java/1."; http_header; pcre:"/\/Socks[45]\.txt$/U"; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024794; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_10_02, malware_family Spambot, updated_at 2017_10_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [PTsecurity] Adware.FileFinder Activity"; flow:established, to_server; content:"POST"; http_method; content:"/?i="; http_uri; content:"Content-Type|3a| application/x-www-form-urlencoded"; http_header; content:!"Accept-Encoding|3a|"; http_header; content:!"Referer|3a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"report=AAA"; http_client_body; depth:20; fast_pattern; threshold:type limit, track by_src, count 1, seconds 30; metadata: former_category MALWARE; classtype:trojan-activity; sid:2024904; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2017_10_23, performance_impact Moderate, updated_at 2017_10_23;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32.SoftPulse Retrieving data"; flow:established,to_server; content:"GET"; http_method; content:"/maxpower-static/templates/"; depth:27; http_uri; http_header_names; content:!"Referer"; reference:md5,4aa02ca6a3f04cf445924a6d657d10e5; classtype:trojan-activity; sid:2019143; rev:5; metadata:created_at 2014_07_22, updated_at 2014_07_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/DownloadGuide.A"; flow:established,to_server; content:"POST"; http_method; content:"/1/dg/3"; http_uri; fast_pattern; content:"Content-Type|3a 20|application/json"; http_header; content:"{|22|BuildId|22 3a|"; http_client_body; content:"|22|Campaign|22|"; http_client_body; content:"|22|TrackBackUrl|22|"; http_client_body; http_header_names; content:!"Referer"; reference:md5,37b91123a58a48975770241445392aeb; classtype:trojan-activity; sid:2018513; rev:4; metadata:created_at 2014_06_02, updated_at 2014_06_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/DownloadAdmin.Adware User-Agent"; flow:established,to_server; content:"Installer(ref=["; http_user_agent; fast_pattern; content:"|3b|windows="; http_user_agent; distance:0; content:"|3b|uac="; http_user_agent; distance:0; content:"|3b|elevated="; http_user_agent; distance:0; content:"|3b|dotnet="; http_user_agent; distance:0; content:"|3b|startTime="; http_user_agent; distance:0; content:"|3b|pid="; http_user_agent; distance:0; classtype:trojan-activity; sid:2021564; rev:3; metadata:created_at 2015_07_31, updated_at 2015_07_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SoftPulse.H Checkin"; flow:established,to_server; content:"POST"; http_method; urilen:9; content:"/__dmp__/"; http_uri; fast_pattern; content:"data={"; depth:6; http_client_body; http_header_names; content:!"Accept"; content:!"Connection"; content:!"Referer"; reference:md5,6424fb3317b4be3d00e4d489122c9a48; classtype:trojan-activity; sid:2019228; rev:4; metadata:created_at 2014_09_24, updated_at 2014_09_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b 20|)"; http_user_agent; depth:27; isdataat:!1,relative; reference:url,doc.emergingthreats.net/bin/view/Main/2007929; classtype:trojan-activity; sid:2007929; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BrowseFox.H Checkin 2"; flow:established,to_server; content:"POST"; http_method; urilen:3; content:"/rs"; http_uri; content:"alpha="; http_client_body; fast_pattern; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/PR"; http_header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5,437a5cb57567c2691ce61a700682eab7; classtype:trojan-activity; sid:2018899; rev:4; metadata:created_at 2014_07_29, updated_at 2014_07_29;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PullUpdate.Adware CnC Beacon"; flow:established,to_server; urilen:7; content:"POST"; http_method; content:"?v="; http_uri; fast_pattern; pcre:"/^\/[a-z]{2}\x3Fv\x3D[0-9]$/U"; http_header_names; content:!"Referer"; content:!"Accept"; content:!"User-Agent"; reference:md5,129563c2ab034af094422db408d7d74f; classtype:trojan-activity; sid:2018368; rev:5; metadata:created_at 2014_04_07, updated_at 2014_04_07;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/iBryte.Adware Installer Download"; flow:established,to_server; content:"GET"; http_method; content:".exe?mode="; http_uri; content:"&sf="; http_uri; content:"&browser="; http_uri; content:"&useragent="; http_uri; http_header_names; content:!"Referer"; reference:md5,4c80e5f72a2ab8324b981e37b3b0e5d1; classtype:trojan-activity; sid:2020197; rev:5; metadata:created_at 2015_01_16, updated_at 2015_01_16;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE AdWare.Win32.BetterSurf.b SSL Cert"; flow:established,from_server; content:"CN=*.tr553.com"; threshold: type limit, track by_src, count 2, seconds 60; reference:md5,54c9288cbbf29062d6d873cba844645a; classtype:trojan-activity; sid:2020712; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2015_03_19, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Internet Explorer)"; flow:established,to_server; content:"Internet Explorer"; depth:17; http_user_agent; isdataat:!1,relative; content:!"pnrws.skype.com"; http_host; content:!"iecvlist.microsoft.com"; http_host; content:!".lenovo.com"; http_host; reference:url,doc.emergingthreats.net/bin/view/Main/2008052; classtype:trojan-activity; sid:2008052; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Alexa Search Toolbar User-Agent 2 (Alexa Toolbar)"; flow:to_server,established; content:"Alexa Toolbar"; http_user_agent; threshold: type limit, count 2, seconds 300, track by_src; reference:url,doc.emergingthreats.net/2008085; classtype:trojan-activity; sid:2008085; rev:11; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/ELEX Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/v"; depth:2; http_uri; content:"?update"; http_uri; fast_pattern; distance:0; pcre:"/^[0-9]?=[a-z]+/URi"; http_header_names; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; reference:md5, 2fed7fe9d055ebb63897bc2c8996676d; reference:md5,e2fd0d2c44e96cab5017bb8a68ca92a6; classtype:trojan-activity; sid:2019779; rev:6; metadata:created_at 2014_11_24, updated_at 2014_11_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (HTTP)"; flow:to_server,established; content:"HTTP"; http_user_agent; depth:4; isdataat:!1,relative; reference:url,doc.emergingthreats.net/bin/view/Main/2007943; classtype:trojan-activity; sid:2007943; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Win32/DownloadAssistant.A Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/launch/"; http_uri; isdataat:!1,relative; http_header_names; content:"X-Crypto-Version"; fast_pattern; content:!"User-Agent"; content:!"Referer"; reference:md5,62a4d32dcb1c495c5583488638452ff9; classtype:trojan-activity; sid:2021283; rev:4; metadata:created_at 2015_06_16, updated_at 2015_06_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Connection to go2000.cn - Common Malware Checkin Server"; flow:established,to_server; content:"go2000.cn"; http_host; isdataat:!1,relative; reference:url,www.mywot.com/en/scorecard/go2000.cn; classtype:trojan-activity; sid:2013422; rev:3; metadata:created_at 2011_08_18, updated_at 2011_08_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (single dash)"; flow:to_server,established; content:"-"; http_user_agent; depth:1; isdataat:!1,relative; reference:url,doc.emergingthreats.net/bin/view/Main/2007880; classtype:trojan-activity; sid:2007880; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WinWrapper.Adware Initial Install Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern; content:"&appid="; http_uri; content:"&ts="; http_uri; content:"&dlip="; http_uri; content:"&dlid="; http_uri; content:"&proto="; http_uri; content:"NSIS_Inetc (Mozilla)"; depth:20; http_user_agent; http_header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020627; rev:5; metadata:created_at 2015_03_06, updated_at 2015_03_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/OutBrowse.G Variant Checkin"; flow:to_server,established; content:"/dmresources/instructions"; fast_pattern; http_uri; content:".dat"; http_uri; content:"NSISDL/1.2 (Mozilla)"; depth:20; http_user_agent; http_protocol; content:"HTTP/1.0"; isdataat:!1,relative; http_header_names; content:!"Referer"; reference:md5,d75055c45e2c5293c3e0fbffb299ea6d; reference:url,www.virustotal.com/en/file/95e0eaaee080f2c167464ed6da7e4b7a27937ac64fd3e1792a1aa84c1aed488e analysis/; classtype:trojan-activity; sid:2017992; rev:8; metadata:created_at 2014_01_20, updated_at 2014_01_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)"; flow:established,to_server; content:"iWin|20|"; http_user_agent; depth:5; reference:url,doc.emergingthreats.net/2008558; classtype:trojan-activity; sid:2008558; rev:8; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/InstallCore Initial Install Activity 1"; flow:established,to_server; content:"POST"; http_method; content:"/?v="; depth:4; http_uri; content:"&subver="; fast_pattern; distance:0; http_uri; content:"&pcrc="; distance:0; http_uri; pcre:"/^\/\?v=[\d\.]{3,4}&subver=[\d\.]{4,5}&pcrc=\d+$/U"; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,0a6a0baf77b80706cab665754ecadac9; classtype:trojan-activity; sid:2022807; rev:2; metadata:created_at 2016_05_16, updated_at 2016_05_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (MSIE7 na)"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|na|3b 20|)"; fast_pattern; http_user_agent; reference:url,doc.emergingthreats.net/2010461; classtype:trojan-activity; sid:2010461; rev:7; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/InstallMonetizer.Adware Beacon 1"; flow:established,to_server; content:"POST"; http_method; content:"NSIS_Inetc (Mozilla)"; http_user_agent; fast_pattern; content:"from="; http_client_body; depth:5; content:"&type="; http_client_body; distance:0; content:"&pubid="; http_client_body; distance:0; content:"&BundleVersionID="; http_client_body; distance:0; classtype:trojan-activity; sid:2018148; rev:4; metadata:created_at 2014_02_17, updated_at 2014_02_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (MyIE/1.0)"; flow:established,to_server; content:"MyIE/"; http_user_agent; depth:5; reference:url,doc.emergingthreats.net/2009991; classtype:trojan-activity; sid:2009991; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Wget User-Agent (wget 3.0) - Likely Hostile"; flow:established,to_server; content:"wget 3.0"; http_user_agent; depth:8; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2007961; classtype:trojan-activity; sid:2007961; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/OpenCandy Adware Checkin"; flow:established,to_server; content:"clientv="; http_uri; content:"&cltzone="; http_uri; content:"&mstime="; http_uri; content:"&os="; http_uri; content:"&product_key="; http_uri; content:"opencandy.com"; fast_pattern; http_host; classtype:trojan-activity; sid:2014122; rev:4; metadata:created_at 2012_01_12, updated_at 2012_01_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Explorer)"; flow:established,to_server; content:"Explorer"; http_user_agent; depth:8; isdataat:!1,relative; reference:url,doc.emergingthreats.net/bin/view/Main/2007921; classtype:trojan-activity; sid:2007921; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Hadsruda!bit Adware/PUA Installation Activity"; flow:to_server,established; content:"GET"; http_method; content:"?alpha="; http_uri; content:"NSIS_Inetc"; http_user_agent; depth:10; fast_pattern; pcre:"/\?alpha=(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})/U"; reference:md5,6b58b3eb9bbb0f7297a2e36e615506d3; classtype:trojan-activity; sid:2022850; rev:3; metadata:created_at 2016_06_02, updated_at 2016_06_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PUP Optimizer Pro Adware Download"; flow:established,to_server; content:"GET"; http_method; content:"/OptimizerPro.exe"; nocase; http_uri; isdataat:!1,relative; fast_pattern; http_header_names; content:!"Referer"; reference:url,malwr.com/analysis/NjdkMTczMDQ0MDQ0NGNmZWE0OTgzYTY2YzU5OGY2YmI/; classtype:trojan-activity; sid:2018743; rev:3; metadata:created_at 2014_07_21, updated_at 2014_07_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PCAcceleratePro PUA/Adware User-Agent"; flow:established,to_server; content:"PCAcceleratePro"; http_user_agent; depth:15; isdataat:!1,relative; classtype:trojan-activity; sid:2022828; rev:3; metadata:created_at 2016_05_18, updated_at 2016_05_18;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (downloader)"; flow:to_server,established; content:"downloader"; http_user_agent; depth:10; isdataat:!1,relative; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:trojan-activity; sid:2007885; rev:9; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.MultiInstaller"; flow:established, to_server; content:"GET"; http_method; content:"?s1="; http_uri; fast_pattern; pcre:"/^\/(?:info|entrance|start|debug)\?s1=[a-f0-9]{100,}$/U"; http_header_names; content:!"Referer"; reference:md5, 26973eeddb4781225b7c23d2d9cce996; reference:md5,a74b1602a50b9c7d3262e3f80a6a2e68; classtype:trojan-activity; sid:2018512; rev:6; metadata:created_at 2014_06_02, updated_at 2014_06_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/PicColor Adware CnC Beacon"; flow:established,to_server; content:"GET"; http_method; content:"?d="; http_uri; content:"&format=json"; http_uri; isdataat:!1,relative; fast_pattern; http_header_names; content:!"Accept-"; content:!"Referer"; reference:md5,6b173406ffccaa6d0287b795f8de2073; classtype:trojan-activity; sid:2020948; rev:3; metadata:created_at 2015_04_20, updated_at 2015_04_20;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/GameVance Adware User Agent"; flow:established,to_server; content:"zz_"; depth:3; http_user_agent; pcre:"/^[a-z0-9]{1,3}\s*[0-9]\.[0-9]{1,2}\.[0-9]{2,4}/VRi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3aWin32/GameVance; classtype:trojan-activity; sid:2014340; rev:6; metadata:created_at 2012_03_08, updated_at 2012_03_08;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/DownloadAssistant.A PUP CnC"; flow:established,to_server; content:"POST"; http_method; content:"/v2/"; http_uri; depth:4; fast_pattern; pcre:"/^\/v2\/(?:(?:(?:intro_impr|s)ession|l(?:aunch|og)|exit)/$|c(?:(?:dn_(?:success|check)|ancel)/$|lick/))/U"; http_header_names; content:"X-Crypto-Version"; content:!"User-Agent"; reference:md5,a54f78d0fe6d1a1a09c22a71646c24b3; classtype:trojan-activity; sid:2021282; rev:3; metadata:created_at 2015_06_16, updated_at 2015_06_16;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MALWARE W32/WinWrapper.Adware POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method; content:"/api.cgi?act="; http_uri; fast_pattern; content:"&appid="; http_uri; content:"&proto="; http_uri; content:"WinWrapper"; depth:10; http_user_agent; content:"{|22|appId|22 3a 22|"; http_client_body; content:"|22|uuId|22 3a 22|"; http_client_body; http_header_names; content:!"Referer"; reference:md5,2d71e44c02784d579fb4af18bbbeae6c; classtype:trojan-activity; sid:2020628; rev:4; metadata:created_at 2015_03_06, updated_at 2015_03_06;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Adware.Gamevance.AV Checkin"; flow:established,to_server; content:"/aj/"; http_uri; fast_pattern; content:".php?p="; http_uri; http_header_names; content:!"Referer"; reference:url,virustotal.com/en/file/21e04ef285d9df2876bab83dd91a8bd78ecdf0d47a8e4693e2ec1924f642bfc8/analysis/; reference:md5,0134997dff945fbfe62f343bcba782bc; classtype:trojan-activity; sid:2017136; rev:5; metadata:created_at 2013_07_11, updated_at 2013_07_11;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE User-Agent (Internet Explorer 6.0) - Possible Trojan Downloader"; flow:to_server,established; content:"Internet Explorer 6.0"; http_user_agent; depth:21; isdataat:!1,relative; reference:url,doc.emergingthreats.net/bin/view/Main/2007860; classtype:trojan-activity; sid:2007860; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag Trojan_Downloader, signature_severity Major, created_at 2010_07_30, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Adware.Adposhel.A Checkin 5"; flow:established,to_server; content:"POST"; http_method; content:"/q/"; depth:3; http_uri; fast_pattern; content:"q="; depth:2; http_client_body; pcre:"/^[a-zA-Z0-9_-]+$/PR"; http_connection; content:"close"; nocase; isdataat:!1,relative; http_content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category MALWARE; reference:md5,f0e02ba660cfcb122b89bc780a6555ac; classtype:trojan-activity; sid:2025094; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Internet, tag Adware, signature_severity Major, created_at 2017_12_01, malware_family Adposhel, performance_impact Moderate, updated_at 2017_12_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (My Session)"; flow:to_server,established; content:"My Session"; nocase; depth:10; http_user_agent; content:!".windows.net"; http_host; isdataat:!1,relative; reference:url,doc.emergingthreats.net/2010677; classtype:trojan-activity; sid:2010677; rev:8; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2017_02_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE qq.com related Spyware User-Agent (QQGame)"; flow:to_server,established; content:"QQGame"; nocase; depth:6; http_user_agent; reference:url,doc.emergingthreats.net/2003658; classtype:trojan-activity; sid:2003658; rev:9; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Spyware_User_Agent, signature_severity Minor, created_at 2010_07_30, updated_at 2016_07_01;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image M2"; flow: established,from_server; http_content_type; content:"image/jpeg"; depth:10; isdataat:!1,relative; file_data; content:"MZ"; within:2; content:"!This program"; distance:0; fast_pattern; metadata: former_category MALWARE; classtype:trojan-activity; sid:2020757; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2015_03_26, performance_impact Low, updated_at 2017_12_21;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (Mozilla/4.0 (compatible ICS))"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3b 20|ICS)"; depth:29; http_user_agent; isdataat:!1,relative; content:!".iobit.com"; http_host; content:!".microsoft.com"; http_host; content:!".cnn.com"; http_host; content:!".wunderground.com"; http_host; content:!".weatherbug.com"; http_host; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2008038; classtype:trojan-activity; sid:2008038; rev:11; metadata:created_at 2010_07_30, updated_at 2017_12_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.LoadMoney User Agent 2"; flow:established,to_server; content:"s|20|2.8"; http_user_agent; depth:5; fast_pattern; pcre:"/^User-Agent\x3a\x20s\x202\.8\d\r?$/Hm"; metadata: former_category MALWARE; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PUA:Win32/LoadMoney; classtype:trojan-activity; sid:2025302; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family Loadmoney, performance_impact Moderate, updated_at 2018_02_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/LoadMoney Adware Activity M2"; flow:to_server,established; content:"GET"; http_method; content:"/software_install?sid="; http_uri; fast_pattern; content:"&sub_id="; distance:0; http_uri; content:"&hash="; distance:0; http_uri; content:"&mid="; distance:0; http_uri; content:"&fname="; distance:0; http_uri; content:!"Referer|3a 20|"; http_header; flowbits:set,ETPTadmoney; metadata: former_category MALWARE; reference:md5,844e53381099d572c3864c7a42ddbbf1; classtype:trojan-activity; sid:2025303; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_02, malware_family Loadmoney, performance_impact Moderate, updated_at 2018_02_02;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rogue.WinPCDefender Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/?machine_id={"; http_uri; depth:14; fast_pattern; content:"}"; http_uri; distance:0; isdataat:!1,relative; content:!"Referer"; http_header; content:"anti"; http_host; depth:4; metadata: former_category MALWARE; reference:md5,aa8def27909596f8477a5374f735eec9; reference:url,www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2017; classtype:trojan-activity; sid:2025358; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_14, performance_impact Moderate, updated_at 2018_02_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PPI User-Agent (InstallCapital)"; flow:to_server,established; content:"User-Agent|3a 20|InstallCapital"; http_header; metadata: former_category TROJAN; reference:md5,a6a9e8b0432ad557245ac8ad2926ed7c; classtype:trojan-activity; sid:2022246; rev:3; metadata:created_at 2015_12_11, updated_at 2018_02_21;) alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (OSX/Calender 2 Mining)"; flow:established,to_client; tls_cert_subject; content:"CN=*.qbix.com"; nocase; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,objective-see.com/blog/blog_0x2B.html; classtype:trojan-activity; sid:2025424; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_03_12, performance_impact Moderate, updated_at 2018_03_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; content:!".mcafee.com"; http_host; content:!"deezer.com"; http_host; isdataat:!1,relative; content:!"googlezip.net"; http_host; content:!"metrics.tbliab.net"; http_host; isdataat:!1,relative; content:!"dajax.com"; http_host; isdataat:!1,relative; content:!"update.eset.com"; http_host; isdataat:!1,relative; content:!".sketchup.com"; http_host; isdataat:!1,relative; content:!".yieldmo.com"; http_host; isdataat:!1,relative; content:!"ping-start.com"; http_host; isdataat:!1,relative; content:!".bluekai.com"; http_host; content:!".stockstracker.com"; http_host; content:!".doubleclick.net"; http_host; content:!".pingstart.com"; http_host; content:!".colis-logistique.com"; http_host; content:!"android-lrcresource.wps.com"; http_host; content:!"track.package-buddy.com"; http_host; content:!"talkgadget.google.com"; http_host; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:20; metadata:affected_product Any, attack_target Client_Endpoint, deployment Perimeter, tag User_Agent, signature_severity Major, created_at 2010_07_30, updated_at 2018_04_03;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Foniad Domain (maraukog .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"maraukog.info"; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025487; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_16;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Foniad Domain (acinster .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"acinster.info"; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025488; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Foniad Domain (aclassigned .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"aclassigned.info"; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025489; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Foniad Domain (efishedo .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"efishedo.info"; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025490; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Foniad Domain (enclosely .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"enclosely.info"; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025491; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Foniad Domain (insupposity .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"insupposity.info"; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025492; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;) alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Observed Win32/Foniad Domain (suggedin .info in TLS SNI)"; flow:established,to_server; tls_sni; content:"suggedin.info"; isdataat:!1,relative; metadata: former_category MALWARE; reference:url,www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=BrowserModifier:Win32/Foniad; classtype:trojan-activity; sid:2025493; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_13, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_13;) alert dns $HOME_NET any -> any any (msg:"ET MALWARE Observed Win32/Foniad Domain (suggedin .info in DNS Lookup)"; dns_query; content:"suggedin.info"; nocase; isdataat:!1,relative; metadata: former_category MALWARE; reference:md5,dc2c0b6a8824f5ababf18913ad6d0793; classtype:trojan-activity; sid:2025531; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_04_17, malware_family Foniad, performance_impact Moderate, updated_at 2018_04_24;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Lavasoft PUA/Adware Client Install"; flow:established,to_server; content:"POST"; http_method; content:"/event-stat?ProductID="; http_uri; fast_pattern; content:"&Type=StubStart"; http_uri; distance:0; content:"lavasoft.com"; http_host; metadata: former_category MALWARE; classtype:trojan-activity; sid:2025537; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag Adware, signature_severity Minor, created_at 2018_04_26, updated_at 2018_04_26;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WiseCleaner Installed (PUA)"; flow:established,to_server; content:"POST"; http_method; content:".php?p=install_statistics"; nocase; http_uri; content:"wisecleaner.net"; http_host; fast_pattern; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.0|3b 20|Maxthon)"; http_user_agent; metadata: former_category MALWARE; reference:url,wisecleaner.com; reference:md5,cd6e96207ea60b3e6e46c393fdcc9e0c; classtype:trojan-activity; sid:2025589; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_12, updated_at 2018_06_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Antibody Software Installed (PUA)"; flow:established,to_server; content:"GET"; http_method; content:"version.php?ver="; nocase; http_uri; content:"&newinstall="; nocase; http_uri; distance:0; content:"antibody-software.com"; http_host; fast_pattern; content:"Embarcadero URI Client/1.0"; http_user_agent; metadata: former_category MALWARE; reference:url,antibody-software.com; reference:md5,8e22d630b992f9cb4d7f6b0aceebb37f; classtype:trojan-activity; sid:2025590; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_06_12, updated_at 2018_06_12;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MSIL/Adload.AT Beacon"; flow:established,to_server; content:"GET"; http_method; content:"/impression.do"; http_uri; fast_pattern; content:"source="; http_uri; content:"&event="; http_uri; content:"&implementation_id="; http_uri; content:"user_id="; http_uri; content:"&useragent="; http_uri; content:"&sgn="; http_uri; content:"&subid2="; http_uri; content:"&ts="; http_uri; http_header_names; content:!"Referer"; content:!"Accept"; metadata: former_category MALWARE; reference:md5,d15069e44ec849ab26bcefffe6867f10; reference:md5,4ececc2f027a096c2100ec1125d0d151; classtype:trojan-activity; sid:2022893; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag Adware, signature_severity Major, created_at 2016_06_13, malware_family MSIL_Adload, updated_at 2018_06_22;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [eSentire] Win32/Adware.Adposhel.lgvk CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/inst?data="; http_uri; nocase; content:"Installer event sender/"; http_user_agent; depth:23; fast_pattern; isdataat:!3,relative; http_header_names; content:!"Accept"; content:!"Referer"; metadata: former_category MALWARE; reference:md5,e7c2c1b796dad6210165110b7e8cda7d; classtype:trojan-activity; sid:2025645; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_07_10, malware_family Adposhel, performance_impact Low, updated_at 2018_07_10;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Double User-Agent (User-Agent User-Agent)"; flow:established,to_server; content:"User-Agent|3a 20|"; depth:12; nocase; http_user_agent; content:!"SogouMobileTool"; nocase; http_user_agent; content:!".lge.com"; http_host; metadata: former_category MALWARE; reference:url,doc.emergingthreats.net/bin/view/Main/2003626; classtype:trojan-activity; sid:2003626; rev:14; metadata:created_at 2010_07_30, updated_at 2017_11_27;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Luxsoft Win32/ICLoader User-Agent"; flow:to_server,established; content:"POST"; http_method; content:"Medunja Solodunnja 6.0.0"; http_user_agent; nocase; metadata: former_category MALWARE; classtype:trojan-activity; sid:2026114; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, signature_severity Minor, created_at 2018_09_18, updated_at 2018_09_18;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Fake Adobe Update Download"; flow:established,to_client; content:"200"; http_stat_code; content:"filename=readerdc"; fast_pattern; http_header; nocase; pcre:"/(_[a-z]{2}){1,3}_[a-z]{3}_install\.exe/RHi"; content:!"Server|3a 20| Apache"; http_header; content:"Set-Cookie|3a 20|session="; http_header; metadata: former_category MALWARE; classtype:trojan-activity; sid:2026734; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_12_17, updated_at 2018_12_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fake Adobe Update Request"; flow:established,to_server; content:"GET"; http_method; content:"/en"; nocase; http_uri; content:"/reader/download/?installer=Reader_DC_20"; nocase; within:45; http_uri; pcre:"/\d{2}\.0\d{2}\.200\d{2}_English(?:_for)?_Windows/RU"; content:!"get.adobe.com"; http_host; metadata: former_category MALWARE; classtype:trojan-activity; sid:2026735; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_12_17, updated_at 2018_12_17;) # Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced. #alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"ET MISC HP Web JetAdmin ExecuteFile admin access"; flow: to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; reference:bugtraq,10224; reference:url,doc.emergingthreats.net/2001055; classtype:attempted-admin; sid:2001055; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;) alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2102008; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2102009; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102010; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102011; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2102012; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2102013; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:2101939; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:2101940; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:2101917; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL MISC Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:2100449; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:2101627; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"GPL MISC Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:2100281; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; classtype:attempted-recon; sid:2100517; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:2101538; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:2100523; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"GPL MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:2100511; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC nntp SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2103078; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:2100328; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:2100326; rev:11; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL MISC Finger remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:2100327; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102317; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert ip any any -> any any (msg:"GPL MISC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102189; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert ip any any -> any any (msg:"GPL MISC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102188; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert ip any any -> any any (msg:"GPL MISC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102187; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert ip any any -> any any (msg:"GPL MISC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2102186; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2102159; rev:12; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp any any <> any 179 (msg:"GPL MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2102158; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2102048; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2102523; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; http_uri; content:"Content-Type|3A|"; http_header; content:"Multipart"; distance:0; http_header; reference:bugtraq,9978; classtype:web-application-activity; sid:2102547; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert http $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; http_uri; reference:bugtraq,9972; classtype:web-application-activity; sid:2102548; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2102549; rev:2; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2102561; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC return code buffer overflow attempt"; flow:to_client,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:2101792; rev:10; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET MISC RuggedCom factory account backdoor"; flow:to_client,established;flowbits:isset,ET.RUGGED.BANNER; content:"Enter User Name|3A|"; pcre:"/Enter User Name\x3a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*\s*(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*f(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*a(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*c(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*t(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*o(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*r(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*y(\xff[\xf0-\xff](\xff|[\x00-\x22]))*\x00*\x7f*\x08*[\r\n]/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:4; metadata:created_at 2012_04_27, updated_at 2012_04_27;) #alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:to_server; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) #alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:to_server; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:9; metadata:created_at 2010_09_23, updated_at 2010_09_23;) # Emerging Threats # # This distribution may contain rules under two different licenses. # # Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2. # A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html # # Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License # as follows: # #************************************************************* # Copyright (c) 2003-2017, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # # # # This Ruleset is EmergingThreats Open optimized for suricata-4.0-enhanced. alert http $HOME_NET any -> $EXTERNAL_NET 9033 (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 2"; flow:established,to_server; content:".log"; http_uri; nocase; content:"id="; http_uri; nocase; content:"softid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A/; classtype:trojan-activity; sid:2012452; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan DroidDream Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/GMServer/GMServlet"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Dalvik"; http_header; reference:url,blog.mylookout.com/2011/03/security-alert-malware-found-in-official-android-market-droiddream/; classtype:trojan-activity; sid:2012453; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 1"; flow:established,to_server; content:"POST"; http_method; content:"request"; http_uri; nocase; content:".php"; http_uri; nocase; content:""; content:""; content:""; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012454; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Fake10086 checkin 2"; flow:established,to_server; content:"req.php"; nocase; http_uri; content:"pid="; http_uri; nocase; content:"ver="; http_uri; nocase; content:"area="; http_uri; nocase; content:"insttime="; http_uri; nocase; content:"first="; http_uri; nocase; reference:url,blog.aegislab.com/index.php?op=ViewArticle&articleId=81&blogId=1; classtype:trojan-activity; sid:2012455; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan Command and Control Communication"; flow:established,to_server; content:"POST"; http_method; content:"/getAdXml.do"; http_uri; nocase; content:"params="; nocase; reference:url,www.isc.sans.org/diary.html?storyid=10186; classtype:trojan-activity; sid:2012140; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_01_05, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Trojan MSO.PJApps checkin 1"; flow:established,to_server; content:"/push/androidxml/"; http_uri; nocase; content:"sim="; http_uri; nocase; content:"tel="; http_uri; nocase; content:"imsi="; http_uri; content:"pid="; http_uri; nocase; reference:url,virus.netqin.com/en/android/MSO.PJApps.A; classtype:trojan-activity; sid:2012451; rev:5; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_03_10, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; nocase; http_uri; content:"StartUpdata.ini"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012782; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/BackgroundUpdata.ini"; http_uri; nocase; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012783; rev:3; metadata:created_at 2011_05_03, updated_at 2011_05_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS SuperFairy.D active.txt Missing File HTTP Request"; flow:established,to_server; content:"/client/symbian/"; http_uri; nocase; content:"active.txt"; nocase; http_uri; within:30; fast_pattern; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012784; rev:2; metadata:created_at 2011_05_03, updated_at 2011_05_03;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request"; flow:established,to_server; content:"/Kernel.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012844; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request"; flow:established,to_server; content:"/bs?Version="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012845; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2"; flow:established,to_server; content:"/number/?PhoneType="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012846; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3"; flow:established,to_server; content:".jsp?PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,blog.fortinet.com/symbosyxes-or-downloading-customized-malware/; classtype:trojan-activity; sid:2012847; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Flexispy.a Commercial Spying App Sending User Information to Server"; flow:established,to_server; content:"Host|3a| mobile.flexispy.com"; http_header; content:"/service"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_flexispy.a!tr.spy.html; classtype:trojan-activity; sid:2012850; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication"; flow:established,to_server; content:"NumberFile.jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012853; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Merogo User Agent"; flow:established,to_server; content:"User-Agent|3A| LiveUpdater 1.0"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_merogo.b!tr.html; classtype:trojan-activity; sid:2012854; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server"; flow:established,to_server; content:"/webapi/gpslog.php"; nocase; http_uri; content:"&long="; nocase; http_uri; content:"&lat="; nocase; http_uri; content:"&speed="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012855; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server"; flow:established,to_server; content:"/webapi/calllog.php"; http_uri; content:"&date="; http_uri; content:"&time="; http_uri; content:"&from="; http_uri; content:"&dur="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012856; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/HiShowServlet/servlet"; http_uri; pcre:"/\x2FHiShowServlet\x2Fservlet.+(InstalNum|UserActivation)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012858; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"sender="; http_uri; content:"&cpId="; http_uri; content:"&cpServiceId="; http_uri; content:"&channelId="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012864; rev:2; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I PropertyFile.jsp CnC Server Communication"; flow:established,to_server; content:"/PropertyFile.jsp?Version="; nocase; http_uri; content:"&PhoneType="; nocase; http_uri; content:"&PhoneImei="; nocase; http_uri; content:"&PhoneImsi="; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012851; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication"; flow:established,to_server; content:"TipFile.jsp"; http_uri; content:"&LanguageCode="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"&PhoneImsi="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_yxes.i!worm.html; classtype:trojan-activity; sid:2012852; rev:4; metadata:created_at 2011_05_25, updated_at 2011_05_25;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server"; flow:established,to_server; content:"jiao.com"; http_header; fast_pattern; content:"/?id=book22"; nocase; http_uri; pcre:"/Host\x3A[^\n\r]*jiao.com/Hi"; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_superfairy.d!tr.html; classtype:trojan-activity; sid:2012904; rev:2; metadata:created_at 2011_05_31, updated_at 2011_05_31;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Smspacem CnC Communication Attempt"; flow:established,to_server; content:"/talktome.asmx"; nocase; http_uri; content:"cell"; http_client_body; nocase; content:"opname"; nocase; distance:0; http_client_body; reference:url,www.fortiguard.com/encyclopedia/virus/android_smspacem.a!tr.html; classtype:trojan-activity; sid:2012924; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_02, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Iphone iKee.B Checkin"; flow:established,to_server; content:"/xlm.p.php?id="; http_uri; nocase; reference:url,mtc.sri.com/iPhone/; classtype:trojan-activity; sid:2013019; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/search/sayhi.php"; http_uri; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013020; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Possible Post of Infected Mobile Device Location Information"; flow:established,to_server; content:"POST"; http_method; nocase; content:"longitude="; http_uri; nocase; content:"latitude="; http_uri; nocase; classtype:trojan-activity; sid:2013021; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 2"; flow:established,to_server; content:"POST"; http_method; content:"search/rpty.php"; http_uri; nocase; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; classtype:trojan-activity; sid:2013022; rev:2; metadata:created_at 2011_06_13, updated_at 2011_06_13;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Tonclank JAR File Download"; flow:established,to_server; content:"/ProtocolGW/"; fast_pattern; http_uri; nocase; content:"filename="; http_uri; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99&tabid=2; classtype:trojan-activity; sid:2013040; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.Plankton/Tonclank Control Server Responding With JAR Download URL"; flow:established,to_client; content:"|0d 0a|url=http|3A|//"; nocase; content:"ProtocolGW/|3B|filename="; nocase; distance:0; reference:url,www.csc.ncsu.edu/faculty/jiang/Plankton/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013044; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_16, updated_at 2016_07_01;) #alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server Waplove.cn"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|waplove|02|cn"; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99&tabid=2; classtype:trojan-activity; sid:2013038; rev:3; metadata:created_at 2011_06_16, updated_at 2011_06_16;) #alert http $HOME_NET any -> $EXTERNAL_NET 8511 (msg:"ET MOBILE_MALWARE DroidKungFu Checkin 3"; flow:established,to_server; content:"POST"; http_method; content:"/search/getty.php"; reference:url,extraexploit.blogspot.com/2011/06/droidkungfu-just-some-piece-of-code.html; reference:url,www.redmondpie.com/droidkungfu-new-hard-to-detect-android-malware-threat-on-the-loose-steals-user-data-and-more/; reference:url,www.fortiguard.com/encyclopedia/virus/android_droidkungfu.a!tr.html; reference:url,blog.fortinet.com/androiddroidkungfu-attacking-from-a-mobile-device/; classtype:trojan-activity; sid:2013063; rev:2; metadata:created_at 2011_06_17, updated_at 2011_06_17;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.HongTouTou Checkin"; flow:established,to_server; content:"POST"; http_method; content:".aspx?im="; http_uri; content:"User-Agent|3A| J2ME/UCWEB"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/android_hongtoutou.a!tr.html; classtype:trojan-activity; sid:2013072; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.YzhcSms URL for Possible File Download"; flow:established,to_server; content:"/ss/attachments/files/URLshorter.apk"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013079; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_06_21, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity"; flow:established,to_server; content:"POST"; http_method; nocase; content:""; http_client_body; nocase; content:"<|2F|IMSI"; nocase; distance:0; http_client_body; reference:url,www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi; classtype:trojan-activity; sid:2013139; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message"; flow:established,to_server; content:"/Jump.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013142; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes KernelPara.jsp CnC Checkin Message"; flow:established,to_server; content:"/KernelPara.jsp?Version="; http_uri; fast_pattern:only; content:"&PhoneType="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013143; rev:2; metadata:created_at 2011_06_30, updated_at 2011_06_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message"; flow:established,to_server; content:".jsp?Version="; http_uri; content:"&PhoneType="; http_uri; content:"&PhoneImei="; http_uri; content:"PhoneImsi="; http_uri; content:"&PhoneNumber="; http_uri; content:"&Succeed="; http_uri; content:"&Fail="; http_uri; content:"&Source="; http_uri; content:"&Time="; http_uri; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013140; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download"; flow:established,to_server; content:"plugucsrv.sisx"; http_uri; fast_pattern:only; reference:url,blog.fortinet.com/symbosyxes-goes-version-2/; classtype:trojan-activity; sid:2013141; rev:3; metadata:created_at 2011_06_30, updated_at 2011_06_30;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.CruseWin XML Configuration File Sent From CnC Server"; flowbits:isset,ET.And.CruseWin; flow:established,from_server; content:"http|3A|//"; nocase; content:"http|3A|//"; nocase; distance:0; content:" $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Bgserv POST of Data to CnC Server"; flow:established,to_server; content:"POST"; http_method; uricontent:"/Coop/request"; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-031005-2918-99&tabid=2; classtype:trojan-activity; sid:2013210; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_06, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Task Information Retrieval"; flow:established,to_server; content:"/alotWorkTask.aspx?no="; http_uri; content:"&uid="; http_uri; content:"&ti="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013240; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/GoldDream Uploading Watch Files"; flow:established,to_server; content:"/upload/UploadFiles.aspx?askId="; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/android_golddream.a!tr.spy.html; classtype:trojan-activity; sid:2013241; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_08, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/CommDN Downloading Second Stage Malware Binary"; flow:established,to_server; content:"DGOManagerServer/file/TianXiangServer2.sisx"; nocase; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_commdn.a!tr.html; classtype:trojan-activity; sid:2013261; rev:2; metadata:created_at 2011_07_13, updated_at 2011_07_13;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam CnC Checkin"; flow:established,to_server; content:"/ddown/getvalid.aspx"; nocase; http_uri; fast_pattern:only; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013265; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;) #alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE SymbOS/SymGam Receiving SMS Message Template from CnC Server"; flow:established,to_client; content:""; content:""; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_symgam.a!tr.html; classtype:trojan-activity; sid:2013266; rev:2; metadata:created_at 2011_07_14, updated_at 2011_07_14;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SslCrypt Server Communication"; flow:established,to_server; content:"?id="; http_uri; content:"&time="; http_uri; content:"&imei="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/adware_sslcrypt!symbos.html; classtype:trojan-activity; sid:2012863; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.AdSms Retrieving XML File from CnC Server"; flow:established,to_server; content:"/Submit.aspx?ver="; http_uri; content:"&sys="; http_uri; content:"&imei="; http_uri; content:"&ua="; http_uri; content:"&pro="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013316; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;) alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MOBILE_MALWARE Android.AdSms XML File From CnC Server"; flow:established,from_server; content:""; content:""; content:"<|2F|mobile>"; within:50; content:""; distance:0; content:""; distance:0; content:""; distance:0; reference:url,www.fortiguard.com/encyclopedia/virus/android_adsms.a!tr.html; classtype:trojan-activity; sid:2013317; rev:4; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_26, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android.Zitmo Forwarding SMS Message to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/security.jsp"; nocase; http_uri; content:"|0d 0a 0d 0a|f0="; content:"&b0="; distance:0; content:"&pid="; distance:0; reference:url,blog.fortinet.com/zitmo-hits-android/; classtype:trojan-activity; sid:2013327; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_27, updated_at 2016_07_01;) #alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server"; flow:established,to_server; content:"/webapi/sms.php"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/spy_mobilespy!iphoneos.html; classtype:trojan-activity; sid:2012857; rev:3; metadata:created_at 2011_05_25, updated_at 2011_05_25;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApp.B Sending Device Information"; flow:established,to_server; content:"/android_notifier/notifier.php?app="; http_uri; content:"&deviceId="; http_uri; content:"&mobile="; http_uri; content:"&country="; http_uri; content:"&carrier="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302891; classtype:trojan-activity; sid:2013965; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_11_23, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_01_27, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/Plankton.P Commands Request to CnC Server"; flow:established,to_server; content:"/ProtocolGW/protocol/commands"; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_PLANKTON.P; classtype:trojan-activity; sid:2014215; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2012_02_07, updated_at 2016_07_01;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android/HippoSms Method Request to CnC"; flow:established,to_server; content:"/clientRequest.htm?method="; http_uri; nocase; content:"&os="; http_uri; content:"&brand="; nocase; http_uri; content:"&sdkVersion="; nocase; http_uri; pcre:"/method\x3D(update|startcharge)/Ui"; reference:url,www.fortiguard.com/encyclopedia/virus/android_hipposms.a!tr.html; classtype:trojan-activity; sid:2013299; rev:3; metadata:affected_product Android, attack_target Client_Endpoint, deployment Perimeter, tag Android, signature_severity Critical, created_at 2011_07_23, updated_at 2016_07_01;) #alert tcp $HOME_NET 8888 -> any any (msg:"ET MOBILE_MALWARE iOS Keylogger iKeyMonitor access"; flow:from_server,established; content:"/>Keystrokes - iKeyMonitor